[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]
kevin at kismith.co.uk
Tue Sep 11 16:30:11 UTC 2007
On 11 Sep 2007, at 17:20, Ian Paterson wrote:
> Even where TLS is available, SASL PLAIN requires server operators
> to keep copies of all users' passwords. This is a serious (and
> often unnecessary) security weakness.
I'm not sure that's true; the server could hash the password still,
both in storage and at the end of the wire. It doesn't help against a
compromised server that's still accepting connections, but the
passwords don't need to be stored plaintext afaics.
More information about the Standards