On Mon, 13 Dec 2004 17:37:00 -0500 (EST), Charles Sprickman <[EMAIL PROTECTED]> wrote: > On Fri, 10 Dec 2004, Eduardo M. Bragatto wrote: > > > Tom Collins wrote: > > > >> If you stored a single encoded password, anyone sniffing the line could > >> learn the encoded version and just re-use it. > > > > So I have to choose: using a cryptography authentication method > > that's not safe or having the password being save as plain (wich is not safe > > either)? > > No... > > > Sure I can guarantee that getting access to my DB is more difficult > > than getting access to my LAN (in case of sniffing), so I would choose > > having > > the plain password stored, but it's still being a hole on the system (if > > some > > guy gains access to DB, he'll have access to ALL passwords, while sniffing > > would just compromise some users). > > They don't have to sniff your LAN, they can sniff at the end-users side. > You're probably using smtp-auth to provide roaming to travelling users, > and there's a decent chance some of those are on "unfriendly" networks > like wireless... > > > Is there any plans for workaround this problem? Is there a way to do > > it? How does behavior other softwares that uses CRAM-MD5? They always kept > > the plain password? > > There's a simple workaround; use standard auth and in your setup guides > show your users how to click the "Use SSL/TLS" option in their mail > program. Then your login (and the contents of the message they are > sending/receiving) is encrypted, and you can use an auth mechanism that > does not require clear-text passwords.
Yes, does Outlook Express support TLS? I can't make it use it, which is not very nice :( > > Another auth mechanism that works like this is CHAP. We used to have a > roaming dial provider that had a handful of POPs that only supported CHAP > and had to ditch them since it required us to store cleartext passwords. > Since we auth dialup users out of our vpopmail db, we just decided not to > mess with them. I've never been worried about the attack CHAP tries to > protect against, which involves tapping the modem line to grab user/pass > info - it's just not a realistic threat for most people. > > Charles > > > > > -- > > Best regards, > > Eduardo M. Bragatto. > > > -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliates&id=3759&t=1
