On Mon, 13 Dec 2004 17:37:00 -0500 (EST), Charles Sprickman
> On Fri, 10 Dec 2004, Eduardo M. Bragatto wrote:
> > Tom Collins wrote:
> >
> >> If you stored a single encoded password, anyone sniffing the line could
> >> learn the encoded version and just re-use it.
> >
> >       So I have to choose: using a cryptography authentication method
> > that's not safe or having the password being save as plain (wich is not safe
> > either)?
> No...
> >       Sure I can guarantee that getting access to my DB is more difficult
> > than getting access to my LAN (in case of sniffing), so I would choose 
> > having
> > the plain password stored, but it's still being a hole on the system (if 
> > some
> > guy gains access to DB, he'll have access to ALL passwords, while sniffing
> > would just compromise some users).
> They don't have to sniff your LAN, they can sniff at the end-users side.
> You're probably using smtp-auth to provide roaming to travelling users,
> and there's a decent chance some of those are on "unfriendly" networks
> like wireless...
> >       Is there any plans for workaround this problem? Is there a way to do
> > it? How does behavior other softwares that uses CRAM-MD5? They always kept
> > the plain password?
> There's a simple workaround; use standard auth and in your setup guides
> show your users how to click the "Use SSL/TLS" option in their mail
> program.  Then your login (and the contents of the message they are
> sending/receiving) is encrypted, and you can use an auth mechanism that
> does not require clear-text passwords.

Yes, does Outlook Express support TLS? I can't make it use it, which
is not very nice :(

> Another auth mechanism that works like this is CHAP.  We used to have a
> roaming dial provider that had a handful of POPs that only supported CHAP
> and had to ditch them since it required us to store cleartext passwords.
> Since we auth dialup users out of our vpopmail db, we just decided not to
> mess with them.  I've never been worried about the attack CHAP tries to
> protect against, which involves tapping the modem line to grab user/pass
> info - it's just not a realistic threat for most people.
> Charles
> > --
> >               Best regards,
> >               Eduardo M. Bragatto.
> >

Pedro Pais
Skype name: pedro.pais
Get Firefox! 

Reply via email to