I think we can agree that the more passwords are available in clear text the more problems we will have if a system is compromized. Therefore it's common practise to not store passwords in clear text. In our case we use xml-curl to store the directory data in a database for a distributed freeswitch network. I simply try to avoid having a database with clear text passwords. VM-Passwords may not be a bigger problem, but gateway passwords and conference pins are.
One way is of course to encrypt the passwords with e.g. OpenSSL/RSA, store it the database and decrypt it on the fly when it is needed. This moves the security implementation to the application side with some backdraws, as passwords can be retrieved with the decryption key and passwords are transferred through the network (of course via SSL) and the passwords are in the logs. This is how we do it for the time being. Another idea, as I propose, is not to store the passwords but hashes. To be honest: I do not understand this discussion. It would be wise to store passwords in an encrypted way. I have seen compromized servers on the client's side in the last years and security threats will even increase in the future. The more we protect our sensible data the safer the system will be for the future. There is a growing number of companies in Germany (even the very big ones as Deutsche Telecom) who recently had to tell their customers that a huge amount of sensible data was lost. I am not asking for doing it right now, but I would love to have it somehow on the roadmap for the future. Best regards Peter Kristian Kielhofner schrieb: > On 10/20/08, Peter P GMX <[EMAIL PROTECTED]> wrote: > >> Hello Brian, >> >> i have learned im my life that any server can be compromized if anyone >> uses enough effort to hack it. Thus I simply try to prevent storing >> passwords in clear text. >> I am actually trying to setup a secure system with TLS/SRTP and handling >> clear text passwords didn't really fit into this concept. >> >> Best regards >> Peter >> > > If your server is compromised and they can read your config files they > can read the file store, db, etc and have access to everything (VM?) > that pin would have access to. > > _______________________________________________ Freeswitch-users mailing list [email protected] http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
