On 29/Sep/11 14:11, Lucio Crusca wrote: > In data mercoledì 28 settembre 2011 17:35:18, Alessandro Vesely ha scritto: >>> I mean: ok I can't have hash-based auth, If I want to store encrypted >>> passwrods I'm forced to plain text. That has only one downside AFAIK, >>> i.e. the password goes on air in plain text, but I can solve this >>> problem by using SSL/TLS. >> >> No, avoiding plain text on the wire is the purpose of hash-based >> challenge/response methods. The difference is whether admins or >> intruders can know users' passwords. Even if admins are 100% trusted >> and the server is well firewalled, it is worth to advise users, so >> that they don't reuse Courier password for their bank accounts. > > I don't quite get it, e.g I don't understand what's wrong in my > reasoning.
You seem to conflate having clear text passwords on the DB with accepting clear text passwords on the wire. They are two different issues. Passwords eavesdropping must be avoided, of course. In spite of the obviousness of this concept, it may be difficult to state it in a simple, non-circumlocutory style. For example, RFC 5068 expresses itself like so: This document does not provide recommendations on specific security implementations. It simply provides a warning that transmitting user credentials in clear text over insecure networks SHOULD be avoided in all scenarios as this could allow attackers to listen for this traffic and steal account data. In these cases, it is strongly suggested that an appropriate security technology MUST be used. > Why SSL/TLS is not a good choice to avoid plain text passwords on > the wire? SSL/TLS _is_ a good choice. > As for the advice to users, that would not be needed if I used > encrypted passwords + plaintext auth + SSL/TLS, right? Hm.. I'd recommend to advise users about local policies anyway. You may want to write prominent principles and a link to further details in the welcome message that you initialize new accounts with. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
