Update: ejabberd 2.1.9 and newer versions support SCRAM authentication if using Mnesia database. If you enable this in ejabberd.cfg, the passwords are stored hashed on the server (see EJAB-1196). Authentication using ODBC databases doesn't yet support that (see EJAB-1598).
The password for the Jabber accounts are stored in plaintext on the database. I think it can be a big security risk. I would like to configure ejabberd to store on the database only the MD5 or SHA-1 hash of passwords.
This question is frequent, and has been posted on forums and mailing list of all Jabber servers. The quick answer is: storing passwords in plaintext limits the security of communications. The medium answer is: it is more secure to send passwords encrypted over the network, and store them in plaintext on the database, than sending the passwords in plaintext over the network and store them encrypted on the database.
In other words, the server needs to know the user password to support the most secure authentication mechanisms.
If you are interested in long answers, please check the provided links:
- [jadmin] jabberd14 'crypt' password storage in postgressql
- [jadmin] Plaintext passwords
- [jdev] plaintext passwords hack