https://www.ejabberd.im/plaintext-passwords-db en https://www.ejabberd.im/plaintext-passwords-db#comment-62903 <div class="quote-msg"> <div class="quote-author"><em>badlop</em> wrote:</div> <blockquote><p><strong>Update</strong>: ejabberd 2.1.9 and newer versions support SCRAM authentication. If you enable this in ejabberd.cfg, the passwords are stored hashed on the server (see <noindex><a href="https://support.process-one.net/browse/EJAB-1196" rel="nofollow" >EJAB-1196</a></noindex>).</p></blockquote> </div> <p>This may work for Mnesia but doesn't show up any effect whith MySQL storage. Or is it possible, that I just made mistakes in my config? Should it really work for MySQL? (Using ebabberd 13.12)</p> Fri, 17 Jan 2014 14:12:52 +0000 monsterdhal comment 62903 at https://www.ejabberd.im https://www.ejabberd.im/plaintext-passwords-db#comment-62902 <div class="quote-msg"> <div class="quote-author"><em>badlop</em> wrote:</div> <blockquote><p><strong>Update</strong>: ejabberd 2.1.9 and newer versions support SCRAM authentication. If you enable this in ejabberd.cfg, the passwords are stored hashed on the server (see <noindex><a href="https://support.process-one.net/browse/EJAB-1196" rel="nofollow" >EJAB-1196</a></noindex>).</p></blockquote> </div> <p>This may work for Mnesia but doesn't show up any effect whith MySQL storage.</p> Fri, 17 Jan 2014 14:03:31 +0000 monsterdhal comment 62902 at https://www.ejabberd.im https://www.ejabberd.im/plaintext-passwords-db#comment-55391 <p>Hi all,</p> <p>Here's one possible workaround, barring tweaking of eJabberd internals. Note that this works with MySQL database implementation of eJabberd, but I'm sure it can be used against any system where we can set up an encryption trigger mechanism on the password field :)</p> <p>1) Create an external authentication script, which will authenticate the user against the eJabberd database "users" table, where the passwords are encrypted with MD5.</p> <p>2) Configure eJabberd to use the external authentication for authentication.</p> <p>3) Add after-insert and after update triggers to the "users" table which will encrypt the password in MD5 whenever a record is inserted or updated. This ensures that the password management of the Jabber server will encrypt the passwords.</p> <p>1) and 2) will take care of verifying user credentials against the "users" table.</p> Wed, 10 Mar 2010 06:45:02 +0000 everbright comment 55391 at https://www.ejabberd.im https://www.ejabberd.im/plaintext-passwords-db#comment-55314 <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>why not store them encrypted and send them encrypted for the security that some of us desire / need. If i were a developer it doesn't see like it would be too hard to have ejabberd decrypt with md5 or password functions.</p></div> <p>Encryption on the disk isn't the way to go, it would have to be symetric. Buy I also want to point out, why not use a hash algorithm to store the passwords? They won't be needed in cleartext for anything, they are just there for verification so the server doesn't need to know the passwords in plain ...</p> <p>Why does it have to be an either-or and can't be both? I never saw the reasoning for why it can't be sent encrypted over the wire and stored hashed.</p> Mon, 22 Feb 2010 09:07:20 +0000 rhonda comment 55314 at https://www.ejabberd.im https://www.ejabberd.im/plaintext-passwords-db#comment-54579 <p>why not store them encrypted and send them encrypted for the security that some of us desire / need. If i were a developer it doesn't see like it would be too hard to have ejabberd decrypt with md5 or password functions.</p> <p>although to many people, the encryption is not that important, but to a few I'm sure the demand is growing.</p> <p>could someone explain why this can't be done or hasn't been done. ;) not a big fan of it just hasn't or it just doesn't. haha</p> <p>thanks in advance.</p> Tue, 25 Aug 2009 02:39:05 +0000 OvrFlote comment 54579 at https://www.ejabberd.im