powered by Jive Software

Openfire password storage...I know where we are...but why?

I have been searching for an answer to this question, and I have been unable to find a complete answer.

So here I am!

Ok, so first question:

I know that Openfire encrypts user passwords when storing them in the database. I know how it encypts the passwords.

What I am not entirely clear on is why.

Now, I should say, I understand why if the account needs to authenticate to an outside server, such as with Kraken. But if the account is for the Openfire chat server, why am I stuck encrypting instead of doing a secure hash?

This leads into my second question.

Given that no user account on my Openfire implementation will ever need to authenticate to any system outside of Openfire, is there any method already built into Openfire to allow me to store their passwords as secure one-way hashes instead of encrypting them?

thanks

So, based off of further research/working with/poking at the system, I have found answers for my questions. I will place them below for anyone who running into a similar quandry.

I know that Openfire encrypts user passwords when storing them in the database. I know how it encypts the passwords.

What I am not entirely clear on is why.

Now, I should say, I understand why if the account needs to authenticate to an outside server, such as with Kraken. But if the account is for the Openfire chat server, why am I stuck encrypting instead of doing a secure hash?

From what I can see, this is because there is no logical separation between accounts that need to authenticate elsewhere and accounts that only authenticate to the openfire server. Therefore, all accounts are treated as if they need to authenticate elsewhere.

As an aside to this, in poking around the database I discovered that the system-wide encryption key for all encrypted passwords in an openfire instance is stored in the same database (albeit a different table) as the encrypted passwords. …I hope that I do not have to explain why this is a bad thing…

Given that no user account on my Openfire implementation will ever need to authenticate to any system outside of Openfire, is there any method already built into Openfire to allow me to store their passwords as secure one-way hashes instead of encrypting them?

No.

Not to put any pressure on the extremely busy and amazing Openfire Dev team, but I too would strongly support use of cryptographically hashed passwords instead of encrypted passwords. I’m not familiar with Kraken’s use, but it would seem that use of crypto hashes could be done in place of encrypting passwords in total. Crypto hashed passwords are the strongest form of password security we have today, and when done properly, are almost impossible to reverse. There is no way to make encrypted passwords “safe” since the unencryption key must be stored someplace the server (Openfire in this instance) can access, meaning if the OF server gets compromised, then all of the passwords might as well have been stored in plain text.

just my 2 cents! I know the OF team has a lot on their hands already…