On Sat, 12 Jul 2003, Ralph Dratman wrote: > In fact, yes, I looked over those notes, and still could not be sure > whether I should enable plaintext passwords. (Being a good and clean > citizen, I didn't particularly want to be "non-compliant".)
If you decide to enable plaintext passwords, then anybody who has a network sniffer can steal passwords on your server; and your server is in violation of the new security rules. People care more about security today than they did 10 years ago. If you decide not to enable plaintext passwords, then you are compliant with the security rules, but then you can't use clients that insist upon using plaintext passwords. You need to use a SSL or TLS-enabled client. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.
