[ejabberd] Re: Encrypted Passwords

dragon_sphere at vdsworld.com dragon_sphere at vdsworld.com
Tue Oct 12 21:49:23 MSD 2004


> Hi Arioch!
>
> Arioch /BDV/ schrieb am 2004-10-12 12:25:33:
>> What ? Passwords are *never* to be stored on server!!!
>> There are hashes for that.
>
> This is the same discussion as we have it for jabberd14/jabberd2 from
> time to time too. The point is, that storing only hashes on the server
> limits the number of available authentication mechanisms. Good
> authentication mechanisms NEED the password on the server. If the
> authentication mechanism does not transmit the password over the
> internet (which is much more risky) the server does not get anything it
> can hash and compare. Therefore if you transmit only a hash, the server
> needs the clear password or something equivalent to calculate the hash
> as well and to compare the hash afterwards.
>
>
> Tot kijk
>     Matthias
>
> --
> Fon: +49-(0)70 0770 07770       http://web.amessage.info
> HAM: DB1MW                      xmpp:mawis at amessage.info
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>

Hi All,
  My 2 cents and I think it's what everyone is basicly saying is that if
you store hashed passwords on your server then make SSL connections
required and have the client send the password in plain text. This way
the plain text password will be encrypted in the SSL stream and
decrypted on the other end to be compared to the hashed version kept on
the server.  At least this is how I read it in the Admin's guide at
http://www.jabber.org

Thanks,
JKinsey (AKA DragonSphere)



More information about the ejabberd mailing list