On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins <[EMAIL PROTECTED]> wrote:
> On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote:
> >> Also, I'm fairly certain that CRAM-MD5 requires that you have
> >> clear-text
> >> passwords enabled.  I still need to look at my pop and smtp servers
> >> to see
> >> how I can make them not advertise something that's not available on my
> >> system...
> >
> > Really? That doesn't sound too secure, or even ethical.
> CRAM-MD5 is more secure because someone sniffing the network can't
> derive the sender's password.  With all other SMTP AUTH methods, you
> can easily decode sniffed packets to get the email address and
> password.  The only way for CRAM-MD5 to work is for the server to know
> the user's cleartext password.
> Granted, you need to make sure the cleartext password is stored
> securely...
But why isn't the password stored in the passwd/mysql using CRAM-MD5
format? That way you could always check it. It wouldn't matter if the
client authenticated using plain or using CRAM-MD5. You could even
double cypher the password using mysql PASSWORD().
a) Client authenticates using plain username/password Create CRAM-MD5
from those tokens and check with the password stored.
b) Client authenticates usign CRAM-MD5 username/password. Directly
compare with the stored password.

Am I missing something important in here?

> --
> Tom Collins  -  [EMAIL PROTECTED]
> QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
> Info on the Sniffter hand-held Network Tester: http://sniffter.com/

Pedro Pais
Skype name: pedro.pais
Get Firefox! 

Reply via email to