Hi. Am Donnerstag, 20. Oktober 2005 20:29 schrieb Phillip Hutchings: > I think most people would agree that storing clear text passwords is > preferable to transmitting clear text passwords across the internet.
I don't agree. Storing cleartext password has two weak points 1. all users must *ultimately* trust the admin 2. If someone cracks the backend (e.g. LDAP), all passwords of all users are known. Both lead to the situation that users should not use passwords that are used anywhere else. If one has *many* accounts, this is unacceptable. Just disable any kind of non-SSL-authentication and you don't have problems with plaintext-transmission. To spy inside a SSL connection, the only point to attack is a memory-trace of the running daemon process, when there's no connection, no cleartext password is available. cu, Bernd -- If a man steals your wife, there's no better revenge than to let him keep her
pgpz5ZLddpjVu.pgp
Description: PGP signature
