[ejabberd] Change field names in mysql?

Brian Campbell bacam at z273.org.uk
Sun Sep 10 01:14:06 MSD 2006


On Sat, Sep 09, 2006 at 09:21:18PM +0400, Sergei Golovan wrote:
> On 9/9/06, Lars Strojny <lars at strojny.net> wrote:
> >Hi,
> 
> <skipped>
> 
> >supported in MySQL 5.0 and really worth giving it a try. But one thing
> >on Ejabberd annoys me since a long time: why aren't the passwords
> >internally hashed? That's so weird, I don't understand why there is a
> >software in 2006 where passwords are stored in cleartext. Any chance to
> >change this behaviour?
> 
> If ejabberd stored hashed passwords it would be impossible to use
> secure authentication over unencrypted user connection. Passwords

You mean with SASL DIGEST authentication?  The RFC for it discusses
exactly what you should do to store hashed passwords (actually, a hash
of user name, realm and password, which is more effective).  This gives
you the best of both worlds: you never explicitly give the password when
authenticating, and the server doesn't store it explicitly either.

  Brian




More information about the ejabberd mailing list