[ejabberd] Change field names in mysql?

Sergei Golovan sgolovan at gmail.com
Sun Sep 10 09:14:29 MSD 2006


On 9/10/06, Brian Campbell <bacam at z273.org.uk> wrote:
> On Sat, Sep 09, 2006 at 09:21:18PM +0400, Sergei Golovan wrote:
> > If ejabberd stored hashed passwords it would be impossible to use
> > secure authentication over unencrypted user connection. Passwords
>
> You mean with SASL DIGEST authentication?  The RFC for it discusses
> exactly what you should do to store hashed passwords (actually, a hash
> of user name, realm and password, which is more effective).  This gives
> you the best of both worlds: you never explicitly give the password when
> authenticating, and the server doesn't store it explicitly either.

As discussed in section 3.9 of RFC 2831 storing hashed passwords does
not add much to security. If the database is compromised the attacker
gets access to all user accounts (almost) as easy as if password were
stored in clear text.

-- 
Sergei Golovan


More information about the ejabberd mailing list