ejabberd - Comments for "how to encrypt passwords when using mysql"

No reaction on this complaint

monsterdhal — Fri, 17 Jan 2014 09:31:19 +0000

No reaction on this complaint for more than half a year? When will password encryption for MySQL be implemented in ejabberd? I am very interested in this "bug fix" as well. Never heard about the thesis, that password encryption in databases should make no sense for any reason. Please learn about encryption to prevent claiming such nonsense. :o)

echamberlain wrote: For that

tr33 — Sun, 05 May 2013 22:51:19 +0000

echamberlain wrote:

For that reason, incorporating the encryption and decryption of plaintext passwords in ejabberd doesn't make any sense.

Sorry, but this sounds completely like bullshit to me.
Security should start at the lowest layer and focus all elements in the relevant chain.
So, securing esp. passwords is one of the first issues that should be focused in security.
I think there are enought reasons why passwords should be secured:
- multiple administrators (priviliged access management, ...)
- 3rd party application security, i.e. interfacing an external web application for account mangement
- application security, etc.

There are enough services all around the ecosystem that demonstrate how to handle secured passwords in the
database.
i.e. mysql and postgresql support different encryption methods for passwords and indicate them by some attribute or pattern-matching like "{md5}d41d8cd98f00b204e9800998ecf8427e".

sincerely

roland

What are you trying to protect against?

echamberlain — Sat, 21 May 2011 02:22:04 +0000

SASL DIGEST-MD5 authentication needs the plaintext password on the server. If the password is stored encrypted in the database, then the password must be decrypted before the server can authenticate the user. Anyone with root access to the system could do the same thing and gain access to the plaintext password.

For that reason, incorporating the encryption and decryption of plaintext passwords in ejabberd doesn't make any sense.

If minimizing access to the plaintext password is important, then using an external script running on a separate system with restricted access would be the proper implementation. ejabberd would pass the authentication information to the authentication box, which would in turn pull the encrypted password from the database, decrypt it, perform the authentication check and return the result to ejabberd. This implementation would keep the ejabberd admins (assuming passwords are not reset through ejabberd) and the database admins from having access to plaintext passwords. But even in this scenario, the administrator of the authentication box would be able to gain access to the decrypted passwords and restricted access to the physical box, auditing, etc. would be needed to insure security.

Agree, both TLS and encrypted passwords should be provided.

MetaYii — Tue, 03 May 2011 18:24:46 +0000

I agree, passwords should be encrypted for the sake of database security. My point: even if no chinese cracker breaks into your MySQL server, the database administrator could get mad with the enterprise and he can steal data in order to sell it, extort and so on. And since most lusers use the same pass for every service, you can imagine. There are even legal aspects involved. Just think Sony and PSN.

Ok, the argument is passwords most travel encrypted. Then use TLS! Oponents would say: no, because man in the middle and so on. If this is true, TLS is already flawed and I won't buy anything in the Internet since today.

This really needs to be addressed

dknighton — Thu, 27 Jan 2011 19:26:24 +0000

Can I just say, as many other people here already have, that not encrypting passwords in the database is a MAJOR security issue. Encrypting the traffic is always the default response when someone raises it, but that is simply not enough, and it's just not good design to leave user data unprotected. There is no reason for encrypted traffic AND passwords not to co-exist.

In my opinion, this leaves ejabberd VERY exposed, and I am honestly kind of shocked at how unimportant the issues seems to be here. It would make me feel better if the development community at least acknowledged that this functionality is an important part of a secure system.

Not implemented, see: Store

mfoss — Mon, 24 Aug 2009 14:41:36 +0000

Not implemented, see: Store passwords in plaintext in the database for security.

If you worry about network security, you can require the clients to encrypt all traffic, including the authentication process. Search 'starttls' in the ejabberd Guide.

If you worry about DB steal in your server machine, then you are in big troubles, and passwords are not the major problem.

If you worry about sharing DB with untrusted third parties, then you can write an extauth script, and then you care about password verification against MySQL or anything else. Search extauth in the ejabberd Guide.