On 19 December 2014 at 20:18, Kevin Smith <kevin.sm...@isode.com> wrote: > > On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathi...@mathieui.net> wrote: > > > > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote: > >> On 19 Dec 2014 18:32, "Sam Whited" <s...@samwhited.com> wrote: > >>> On 12/19/2014 09:24 AM, Peter Viskup wrote: > >>>> Hi all, > >>>> thought it would be interesting to the audience of this mailinglist. > >>>> > >>>> > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html > >>>> > >>>> Best regards, > >>>> > >>> Another great example of why you should ditch DIGEST-MD5 and store your > >>> passwords as SCRAM bits. > >>> > >>> —Sam > >>> > >> It feels like we should do something like the encryption push, but for > >> non-plaintext passwords. > > > > Do we have any statistics (e.g. on jabber.org) about what proportion of > > clients do not support any other mechanisms than PLAIN and DIGEST-MD5? > > (though yes, PLAIN works well with hashed passwords, but should still be > > avoided whenever possible) > > > > That would be enlightening. > > While I can’t say anything about clients not supporting stuff, obviously, > clients choosing DIGEST are four times more numerous than clients choosing > SCRAM, six times more numerous than those choosing PLAIN, and a small > number do 78 auth and CRAM-MD5. > > Thanks.
So unlike the campaign about TLS, this one is really aimed primarily at the clients, then. Probably one to discuss at the Summit? > /K