On 19 Dec 2014, at 19:36, Mathieu Pasquet <[email protected]> wrote: > > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote: >> On 19 Dec 2014 18:32, "Sam Whited" <[email protected]> wrote: >>> On 12/19/2014 09:24 AM, Peter Viskup wrote: >>>> Hi all, >>>> thought it would be interesting to the audience of this mailinglist. >>>> >>>> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html >>>> >>>> Best regards, >>>> >>> Another great example of why you should ditch DIGEST-MD5 and store your >>> passwords as SCRAM bits. >>> >>> —Sam >>> >> It feels like we should do something like the encryption push, but for >> non-plaintext passwords. > > Do we have any statistics (e.g. on jabber.org) about what proportion of > clients do not support any other mechanisms than PLAIN and DIGEST-MD5? > (though yes, PLAIN works well with hashed passwords, but should still be > avoided whenever possible) > > That would be enlightening.
While I can’t say anything about clients not supporting stuff, obviously, clients choosing DIGEST are four times more numerous than clients choosing SCRAM, six times more numerous than those choosing PLAIN, and a small number do 78 auth and CRAM-MD5. /K
