powered by Jive Software

No plaintext passwords, please!

C’mon…

currently passwordSQL (authorization in external db integration) uses scheme like

SELECT password FROM user_account WHERE username=?

so it expects password as query result which then is encrypted (passwordType set to md5 or sha1) or directly compared to what user provided.

now if i store passwords encrypted it should be possible to ask

SELECT DISTINCT 1 FROM user_account WHERE username=? and password=exotic(?) – given that i use exotic encoding

or

SELECT DISTINCT 1 FROM user_account WHERE username=? and password=encrypt(?,password) – if i’ll go with good old unix crypt()

Basically the idea is to pass username and password as query argument and expect boolean result (anything is true, null is false) rather that to pass just username and encode and compare returned password in application.

The problem with this is that this then requires plaintext authentication on the client-side, which is generally not as great of an idea. I can see why this might be a problem for some people though, considering usually people already have a system implemented for their storage of passwords, and most developers will use something one-way (such as MD5) to hash the password for more security.

I work somewhere that doesn’t hash the password but uses an encryption mechanism only known to developers inside of the company, so what I had to do was use plpgsql to replicate the PHP code as plpgsql code for decryption of the password:

Example:

SELECT pass_decrypt( password ) AS password FROM users WHERE username = ?

Unforunately, this won’t solve your problem if you’re using a hashing mechanism. Sorry =(

DallasG wrote:

The problem with this is that this then requires plaintext authentication on the client-side, which is generally not as great of an idea.

not a big issue if client uses SSL connection. this would be the same level of protection as pop3s or smtps and i doubt if jabber needs better protection that email. and if yes, admin should go for VPN or OTP.