Sami Haahtinen wrote: >On Sun, May 19, 2002 at 03:29:22AM -0700, Chris Chen wrote: > > >>Has anyone considered RFC 2945 (SRP implementation) as perhaps an >>alternative form of authentication for Jabber? >> >>I personally think that 0k authentication is a little unwieldy because you >>have to periodically update the counter when it hits zero. >> >>With SRP, password authenticate is transmitted securely without a need for >>certificate-based or public key-based authentication. >> >> > >Well, after a quick read through the docs, i have to say: i hate it! > >i don't know if it would improve the security, propably it would on the >network level, but the idea of storing plaintext passwords scares me. >The problem with secure authentication is that the weak point moves from >one place to another. this way you would be unable to crack one account, >but by gaining access to the host itself, you would get all the >passwords, which i consider to be a huge thing (as many people do use >the same password in many places) but of tracking back with the e-mail >addresses entered for the accounts and you would be able to crack a few >new hosts. > Nah, the server does not need to store the password, it just needs to store the password verifier as a number, which (assuming standard 'g' and 'N') is g^(SHA(salt+ SHA(username+ ':' + password)) % N.
-David Waite _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
