Ticket #184 (closed enhancement: fixed)

Opened 11 months ago

Last modified 9 months ago

passwords in plain text

Reported by: gregf Owned by: smoku
Priority: major Component: c2s
Version: 2.1.19 Keywords:
Cc: Tracforge_linkmap:
Blocking: Blocked By:

Description

Currently jabberd2 is storing users passwords in plain text. Would be nice to see these stored in a hash of some sort. I have only tried jabberd2 with mysql, if they are hashed using other methods please correct me.

Change History

Changed 11 months ago by smoku

  • component changed from General to c2s

If we want to transfer hashed passwords on the wire (SASL DIGEST-MD5 and XEP-0078 SHA1 digest), we need to store passwords in plain, to be able to generate same hashes in server for comparison with provided one.

If we want to store password hashes, we need to get plaintext password on the wire (SASL PLAIN and XEP-0078 plain), to be able to generate hash in server for comparison with stored one.

RFC3920 requires SASL DIGEST-MD5 implementation, so to archive that we need plaintext passwords in storage. We also value wire sniffing protection more, than storage hijacking protection.

Of course it may be deployment decision to allow only PLAIN authentication methods and store hashed password, so it would be nice to allow this.

It's also worth noting here, that XSF is working on depreciating DIGEST-MD5 authentication. One of the proposed replacements is PLAIN + enforced TLS.

Changed 9 months ago by smoku

  • status changed from new to closed
  • resolution set to fixed

In [572]: Merged crypted passwords support for MySQL. Closes #184 and 197

Note: See TracTickets for help on using tickets.