On Fri, 10 Dec 2004, Eduardo M. Bragatto wrote:
Tom Collins wrote:
If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it.
So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)?
Sure I can guarantee that getting access to my DB is more difficult than getting access to my LAN (in case of sniffing), so I would choose having the plain password stored, but it's still being a hole on the system (if some guy gains access to DB, he'll have access to ALL passwords, while sniffing would just compromise some users).
They don't have to sniff your LAN, they can sniff at the end-users side. You're probably using smtp-auth to provide roaming to travelling users, and there's a decent chance some of those are on "unfriendly" networks like wireless...
Is there any plans for workaround this problem? Is there a way to do it? How does behavior other softwares that uses CRAM-MD5? They always kept the plain password?
There's a simple workaround; use standard auth and in your setup guides show your users how to click the "Use SSL/TLS" option in their mail program. Then your login (and the contents of the message they are sending/receiving) is encrypted, and you can use an auth mechanism that does not require clear-text passwords.
Another auth mechanism that works like this is CHAP. We used to have a roaming dial provider that had a handful of POPs that only supported CHAP and had to ditch them since it required us to store cleartext passwords. Since we auth dialup users out of our vpopmail db, we just decided not to mess with them. I've never been worried about the attack CHAP tries to protect against, which involves tapping the modem line to grab user/pass info - it's just not a realistic threat for most people.
-- Best regards, Eduardo M. Bragatto.