On 11 Sep 2007, at 17:20, Ian Paterson wrote:
Even where TLS is available, SASL PLAIN requires server operators to keep copies of all users' passwords. This is a serious (and often unnecessary) security weakness.
I'm not sure that's true; the server could hash the password still, both in storage and at the end of the wire. It doesn't help against a compromised server that's still accepting connections, but the passwords don't need to be stored plaintext afaics.
/k
