"Jamin W. Collins" <[EMAIL PROTECTED]> wrote on 13-9-2003 0:14:28: > >On Fri, Sep 12, 2003 at 10:04:39PM +0100, Andrew Sayers wrote: >> >> I can't speak for jabberd, but other popular programs (e.g. pppd, >> fetchmail) store passwords in plaintext, readable only by a specified >> user. The theory is that if someone can get read access to files >> they aren't supposed to, they'll get your password one way or other >> anyway. > >Understood, but in the examples provided the password is either stored >on the user's machine or on the remote server being connected to. In >the case of Jabber transports the password is being stored on a third >party system (the Jabber server), and the users probably don't realize >this.
Well, I suppose you *could* resend the password in plain-text each time you log into a transport, rather than storing it on the server. That way a user with only read-acces to the filesystem on the server won't be able to steal it. But what kind of user on the server would have permission to read all files but not sniff network traffic? (maybe one used by a backup program or something). It might make things a little more secure one way (for example they won't end up in your backups either), but on the other way, sending your password in plaintext over the wire isn't that secure either. So you'd have to use SSL, wich can be a bit heavy on the server and only works if the link between the server and the transport isn't vonurable either. -- Tijl Houtbeckers Software Engineer @ Splendo The Netherlands _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
