On Wed, Feb 04, 2004 at 11:41:06AM -0800, Eric S. Pulley wrote: > In this scenario you are still passing the SALT in clear text to the db > but IMO this is much better than having your users logging in with > plaintext passwords over an open network. Especially if your DB is on > the same host as cyrus-imap since you can contain it to a socket and not > use a network at all for the DB lookups. So what is the gain here, really? I may be wrong, but I suspect that you've confused yourself on what you are protecting. If you aren't using TLS, then the password is going over the network in cleartext anyway.
If imapd is on a different host than the db, then the encrypted password is going with the salt... so effectively cleartext. -- Joe Rhett Chief Geek [EMAIL PROTECTED] Isite Services, Inc. --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
