TWiki> Cyrus Web>CyrusFAQ>WhyCyrusSaslPlaintextPasswords (26 Jan 2006, jalang)EditAttach

Why does Cyrus SASL store plaintext passwords in its databases?

To operate with the CRAM-MD5 and DIGEST-MD5 mechanisms, CyrusSasl stores plaintext versions of the passwords in its secret database (an AuxpropPlugin? ).

This is typically regarded as insecure practice, however the alternative is not much better. For CRAM-MD5 and DIGEST-MD5 to function, they must have a plaintext equivalent locally in order to confirm the hash that actually goes across a wire. This, if these equivalents were compromised, it is trivially easy for an attacker to have access to any account on the system.

Note that for DIGEST-MD5 this isn't strictly true: the hash that DIGEST can use limits the attack to only the realm for which the password applies, but this is a questionable security gain for the increased management hassles (you can't share them between mechanisms) that the plaintext equivalents cause.

-- RobSiemborski? - 24 Jul 2003

Edit | Attach | Print version | History: r23 < r22 < r21 < r20 < r19 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r23 - 26 Jan 2006 - 15:26:22 - jalang
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback