Trac is being migrated to new services! Issues can be found in our new
YouTrack instance and WIKI pages can be found on our
website.
- Timestamp:
-
Feb 28, 2014, 9:11:31 AM (10 years ago)
- Author:
-
fedor.brunner
- Comment:
-
changing links to HTTPS
Legend:
- Unmodified
- Added
- Removed
- Modified
-
|
v17
|
v18
|
|
| 18 | 18 | == "But other programs don't store my password in plain text!" == |
| 19 | 19 | |
| 20 | | That's true. But few of them store it in a way that's any safer. A Google search for [http |
| | 20 | That's true. But few of them store it in a way that's any safer. A Google search for [https://www.google.com/search?q=im+passwords "im passwords"] shows a bunch of hits for getting the passwords out of other IM clients just as easily as Pidgin. |
| 21 | 21 | |
| 22 | 22 | The very first link is a clear indication that '''''__none__''''' of these IM applications provide any sort of real password security: |
| … |
… |
|
| 108 | 108 | == DIGEST-MD5 in Jabber/XMPP == |
| 109 | 109 | |
| 110 | | [http://www.xmpp.org/rfcs/rfc3920.html#security-mandatory RFC 3920] requires that Jabber/XMPP servers implement SASL DIGEST‑MD5 authentication method. This allows clients (and servers) to not store the password in plain-text but instead store cryptographic hash (MD5) of user name, domain and password. If the password is strong this makes nearly impossible for an attacker to recover the password. |
| | 110 | [https://xmpp.org/rfcs/rfc3920.html#security-mandatory RFC 3920] requires that Jabber/XMPP servers implement SASL DIGEST‑MD5 authentication method. This allows clients (and servers) to not store the password in plain-text but instead store cryptographic hash (MD5) of user name, domain and password. If the password is strong this makes nearly impossible for an attacker to recover the password. |
| 111 | 111 | |
| 112 | 112 | Following downsides remain: |
| … |
… |
|
| 117 | 117 | Currently (as of 2008) Pidgin does not store the hash. elb: "I would accept a good patch to implement that" |
| 118 | 118 | |
| 119 | | As of 2010, the draft version of the next XMPP standard specifies [http |
| | 119 | As of 2010, the draft version of the next XMPP standard specifies [https://tools.ietf.org/html/rfc5802 SCRAM-SHA-1] as the mandatory-to-implement mechanism, replacing DIGEST-MD5, though not all servers support it currently. |
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!
