On 12/16/09 9:03 AM, Simon Tennant (Buddycloud) wrote: > I'm curious what the community makes of the recent news > http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ > given SASL's cleartext password storage? It seems like a monster breech.
This topic is more appropriate for the [email protected] list, but here goes anyway... We've had these debates for years. And this is not tied to SASL, but if you want to offer multiple SASL mechanisms (DIGEST-MD5, SCRAM, PLAIN over TLS, CRAM-MD5, etc.), then I think it's difficult or impossible to have hashed passwords. And even if you do have hashed passwords, if someone breaks into your machine then it's not that much work to de-hash them all. It just looks scarier if they're in cleartext to start with. > Are we, as XMPP network operators, headed to a similar compromise as > larger projects get build around XMPP? Everyone is a target for network compromise. > Are there any XMPP network operators (apart from Google) that have > turned off all but the SASL PLAIN with TLS? How did your migration go > or did you start out with salted and hashed passwords from day 1? We have not done so at jabber.org and do not plan to do so. > I am also curious about what measures your are taking outside of SASL > realm to keep your users' data secure? Investigating passwordless login via user keys. > Also, if you do not hash passwords in the DB, how do you go about > informing your users that you are keeping their passwords in cleartext? http://www.jabber.org/service-policy/#passwords Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
