|
|
| Author |
Message |
|
| Guest |
 Posted: Sun Sep 10, 2006 5:15 am |
 |
|
|
Guest
|
On 9/10/06, Brian Campbell <bacam@z273.org.uk> wrote:
> On Sat, Sep 09, 2006 at 09:21:18PM +0400, Sergei Golovan wrote:
> > If ejabberd stored hashed passwords it would be impossible to use
> > secure authentication over unencrypted user connection. Passwords
>
> You mean with SASL DIGEST authentication? The RFC for it discusses
> exactly what you should do to store hashed passwords (actually, a hash
> of user name, realm and password, which is more effective). This gives
> you the best of both worlds: you never explicitly give the password when
> authenticating, and the server doesn't store it explicitly either.
As discussed in section 3.9 of RFC 2831 storing hashed passwords does
not add much to security. If the database is compromised the attacker
gets access to all user accounts (almost) as easy as if password were
stored in clear text.
--
Sergei Golovan
_______________________________________________
ejabberd mailing list
ejabberd@jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Sun Sep 10, 2006 9:51 am |
|
|
|
Guest
|
On Sun, Sep 10, 2006 at 09:14:29AM +0400, Sergei Golovan wrote:
> On 9/10/06, Brian Campbell <bacam@z273.org.uk> wrote:
> >On Sat, Sep 09, 2006 at 09:21:18PM +0400, Sergei Golovan wrote:
> >> If ejabberd stored hashed passwords it would be impossible to use
> >> secure authentication over unencrypted user connection. Passwords
> >
> >You mean with SASL DIGEST authentication? The RFC for it discusses
> >exactly what you should do to store hashed passwords (actually, a hash
> >of user name, realm and password, which is more effective). This gives
> >you the best of both worlds: you never explicitly give the password when
> >authenticating, and the server doesn't store it explicitly either.
>
> As discussed in section 3.9 of RFC 2831 storing hashed passwords does
> not add much to security. If the database is compromised the attacker
> gets access to all user accounts (almost) as easy as if password were
> stored in clear text.
The point is to protect the password rather than the accounts. Users
will often risk reusing the same password for many services rather than
trying to remember several, and storing plaintext passwords forces them
to change the password on all of them if the database is compromised.
(They still need to use a different password on the compromised service
with DIGEST though. I'm surprised that the hash doesn't contain salt to
prevent its reuse.)
Brian
_______________________________________________
ejabberd mailing list
ejabberd@jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd
Post recived from mailinglist |
|
|
| Back to top |
|
|
|
All times are GMT
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
|
|
Digg It
Del.icio.us
Reddit
Facebook
Stumble Upon
Technorati
