[ejabberd] Change field names in mysql?

Brian Campbell bacam at z273.org.uk
Sun Sep 10 13:50:22 MSD 2006


On Sun, Sep 10, 2006 at 09:14:29AM +0400, Sergei Golovan wrote:
> On 9/10/06, Brian Campbell <bacam at z273.org.uk> wrote:
> >On Sat, Sep 09, 2006 at 09:21:18PM +0400, Sergei Golovan wrote:
> >> If ejabberd stored hashed passwords it would be impossible to use
> >> secure authentication over unencrypted user connection. Passwords
> >
> >You mean with SASL DIGEST authentication?  The RFC for it discusses
> >exactly what you should do to store hashed passwords (actually, a hash
> >of user name, realm and password, which is more effective).  This gives
> >you the best of both worlds: you never explicitly give the password when
> >authenticating, and the server doesn't store it explicitly either.
> 
> As discussed in section 3.9 of RFC 2831 storing hashed passwords does
> not add much to security. If the database is compromised the attacker
> gets access to all user accounts (almost) as easy as if password were
> stored in clear text.

The point is to protect the password rather than the accounts.  Users
will often risk reusing the same password for many services rather than
trying to remember several, and storing plaintext passwords forces them
to change the password on all of them if the database is compromised.

(They still need to use a different password on the compromised service
with DIGEST though.  I'm surprised that the hash doesn't contain salt to
prevent its reuse.)

  Brian



More information about the ejabberd mailing list