[ejabberd] Re: Encrypted Passwords

Matthias Wimmer m at tthias.net
Tue Oct 12 13:56:24 MSD 2004


Hi Arioch!

Arioch /BDV/ schrieb am 2004-10-12 12:25:33:
> What ? Passwords are *never* to be stored on server!!!
> There are hashes for that.

This is the same discussion as we have it for jabberd14/jabberd2 from
time to time too. The point is, that storing only hashes on the server
limits the number of available authentication mechanisms. Good
authentication mechanisms NEED the password on the server. If the
authentication mechanism does not transmit the password over the
internet (which is much more risky) the server does not get anything it
can hash and compare. Therefore if you transmit only a hash, the server
needs the clear password or something equivalent to calculate the hash
as well and to compare the hash afterwards.


Tot kijk
    Matthias

-- 
Fon: +49-(0)70 0770 07770       http://web.amessage.info
HAM: DB1MW                      xmpp:mawis at amessage.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20041012/ef989f36/attachment.bin


More information about the ejabberd mailing list