On 02/Oct/11 11:21, Lucio Crusca wrote: > When Sam Varshavchik wrote: > >> Passwords can be changed via webmail, with some additional setup. They can >> be stored encrypted, however you must realize that fundamental laws of this >> universe will not allow you to use hash-based authentication via IMAP when >> encrypted passwords are used. The server must have password in plain text, >> in order to be able to recalculate the hashes. > > I understood that I can store *encrypted* passwords with only a drawback: > they > must go in cleartext when sent over the wire. I plan to solve this by using > SSL/TLS. Now I understand this does have a side effect anyway, in that the > passwords exist for a small time interval in clear text in the server's > memory. Is this are you referring to? If so, thanks for pointing that out, I > will certainly warn my customer about that, but I forgot to mention that in > my > scenario that's a perfectly acceptable risk.
Agreed. Encrypted passwords in clear text is a curious concept. I thought you were talking about unencrypted passwords when I suggested to advise users. Sorry for my misunderstanding. Encrypted passwords are, ehm, encrypted. Encryption methods can be robust enough to allow encrypted passwords to be viewed on the wire, in memory, or on disk. (Of course, users who choose passwords from the dictionary are still somewhat exposed.) Yes, TLS provides for even increased security, as sniffers cannot know when users change passwords, nor confirm login-IDs. Belt and braces. I don't think such additional security is useful for memory/disk operations, unless the system environment is blatantly corrupted. -- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
