On Thu, Dec 09, 1999 at 10:20:35PM -0500, Michael H. Warfield wrote:
> On Thu, Dec 09, 1999 at 08:58:16PM -0500, Jason Costomiris wrote:
> > On Thu, Dec 09, 1999 at 08:50:27PM -0500, Michael H. Warfield wrote:
> > : I don't agree that you have to store the passwords on the server
> > : in clear text. I've got one server with APOP configured and it stores
> > : hashes. They are different hashes from the normal password hashes, so
> > : you have to have a different database for APOP, but it's not storing clear
> > : text passwords. Administratively it really sucks to maintain the separate
> > : password databases and changing passwords is a royal hassle.
>
> > APOP by nature requires you to have clear passwords on the server side.
> > The container isn't necessarily a text file, but they passwords have to be
> > clear, otherwise when you MD5() them, you won't get the proper result..
> > Qpopper stores them inside a dbm database.
>
> Hmmm... So it does... Just jumped into the Fetchmail sources and
> looked over the algorithm. Well that just blows goats. Trades security
> on the wire for clear (or at least easy to get at) passwords on the server.
> Man that sucks and blows one of my arguments.
Hashed passwords are not necessarily more secure than plaintext ones... It
still boils down to protecting the file the passwords are stored in. If a
person gets root access on your e-mail server, no password encryption
scheme is going to save you.
--
Steve Borho Voice: 314-615-6349
Network Engineer
Celox Communications Corp
Fortune of the day:
Swap read error. You lose your mind.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
