On Mon, Sep 15, 2003 at 11:00:12AM +0200, Bart van Bragt wrote: > >Only specific users (such as the user that > >the server runs as) should have read access to these files. And of > >course, the administrator is implicitly trusted. > Should have :D
> I do trust most server admins but nothing can guarantee me that they > administer their servers properly. You have to trust your server admin. If you don't, then don't use their server, or use a non-critical password. If you can't do either of those (ie you have to use their server; eg for work), then you need to clue them up. > IMO it is very undesirable that passwords are stored in plaintext, IMO > we should get rid of that ASAP :D I know we'll have to live with > plaintext passwords for quite some time to come but IMO it would be a > Good Thing(tm) if clients/servers would default to storing hashed > passwords. Well, I think that plaintext passwords on the wire are more of an issue than plaintext passwords in the data store. Basically, until we get auth mechanisms that are secure on the wire and don't require plaintext passwords on the server, then stuff I write will be storing passwords in plaintext. (Of course, you can use a storage backend with jabberd2 that stores hashed passwords (eg LDAP), and force encryption, but thats another of those policy decisions that a clueful admin should be making). Rob. -- Robert Norris GPG: 1024D/FC18E6C2 Email+Jabber: [EMAIL PROTECTED] Web: http://cataclysm.cx/
pgp00000.pgp
Description: PGP signature
