>> Did you perhaps mean to have vpopmail store the user passwords in
>> plain text? I'm just checking, because to me it seems to lower
>> security and it seems to defeat the purpose of working with hashed
>> passwords. Could you please confirm this?
> Yes, thats what I meant by my comment. You need the plain text passwords
> in the vpopmail database. Having plain text passwords in the database
> doesn't necessarily lower the security as your database can be on a host
> which is not accessable to anything by the authenticating machine.
Just to elaborate on the point, CRAM-MD5 authentication REQUIRES that the
passwords be stored as plaintext, as that's the only way to verify the MD5
hash provided by the client. Server send the seed string, client
concatenates the seed and password (and maybe username, don't remember),
and sends the MD5 hash of that.  Server then concats the seed it sent with
the known plaintext password and compares the MD5 hash it comes up with to
that which the client sends.

It's a tradeoff - keeping plaintext passwords on a (hopefully) secure
server vs allowing the client to send the password in plaintext over the
network (though possibly over an encrypted channel).  I like it, but YMMV.


Joshua Megerman
SJGames MIB #5273 - OGRE AI Testing Division
You can't win; You can't break even; You can't even quit the game.
  - Layman's translation of the Laws of Thermodynamics


Reply via email to