Changes between Version 20 and Version 21 of PlainTextPasswords

Timestamp:

Aug 9, 2015, 2:40:25 AM (8 years ago)

Author:

mmcco

Comment:

trivial cleanup

PlainTextPasswords

@@ -98 +98 @@
 Then don't save your passwords in Pidgin or Finch.  As noted above, not saving the password is the default behavior.  This is another instance of "if someone else can access your files and you can't trust them not to misuse stored sensitive data, don't store the sensitive data."  Besides, you have to log in to your operating system anyway; it's not really going to kill you to have to type the same password one more time.
 
-== DIGEST-MD5 in Jabber/XMPP ==
+== Hash-based SASL in Jabber/XMPP ==
 
 [https://xmpp.org/rfcs/rfc3920.html#security-mandatory RFC 3920] requires that Jabber/XMPP servers implement SASL DIGEST‑MD5 authentication method. This allows clients (and servers) to not store the password in plain-text but instead store cryptographic hash (MD5) of user name, domain and password. If the password is strong this makes nearly impossible for an attacker to recover the password.
@@ -107 +107 @@
 - When server stops supporting DIGEST‑MD5 authentication (but still provide other password-based), Pidgin will have to ask for password.
 
-Currently (as of 2008) Pidgin does not store the hash. elb: "I would accept a good patch to implement that"
+Patches that add support to store only password hashes are welcome.
 
 As of 2010, the draft version of the next XMPP standard specifies [https://tools.ietf.org/html/rfc5802 SCRAM-SHA-1] as the mandatory-to-implement mechanism, replacing DIGEST-MD5, though not all servers support it currently.