In data giovedì 29 settembre 2011 20:14:12, Alessandro Vesely ha scritto: > You seem to conflate having clear text passwords on the DB with > accepting clear text passwords on the wire. They are two different > issues.
I know that, but I suspect there's a misunderstanding here. When Sam Varshavchik wrote: > Passwords can be changed via webmail, with some additional setup. They can > be stored encrypted, however you must realize that fundamental laws of this > universe will not allow you to use hash-based authentication via IMAP when > encrypted passwords are used. The server must have password in plain text, > in order to be able to recalculate the hashes. I understood that I can store *encrypted* passwords with only a drawback: they must go in cleartext when sent over the wire. I plan to solve this by using SSL/TLS. Now I understand this does have a side effect anyway, in that the passwords exist for a small time interval in clear text in the server's memory. Is this are you referring to? If so, thanks for pointing that out, I will certainly warn my customer about that, but I forgot to mention that in my scenario that's a perfectly acceptable risk. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
