Store passwords in plaintext in the database for security

Update: ejabberd 2.1.9 and newer versions support SCRAM authentication if using Mnesia database. If you enable this in ejabberd.cfg, the passwords are stored hashed on the server (see EJAB-1196). Authentication using ODBC databases doesn't yet support that (see EJAB-1598).

Question

The password for the Jabber accounts are stored in plaintext on the database. I think it can be a big security risk. I would like to configure ejabberd to store on the database only the MD5 or SHA-1 hash of passwords.

Answer

This question is frequent, and has been posted on forums and mailing list of all Jabber servers. The quick answer is: storing passwords in plaintext limits the security of communications. The medium answer is: it is more secure to send passwords encrypted over the network, and store them in plaintext on the database, than sending the passwords in plaintext over the network and store them encrypted on the database.

In other words, the server needs to know the user password to support the most secure authentication mechanisms.

If you are interested in long answers, please check the provided links:

Alternatives:

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Doesn't seem to work for MySQL

badlop wrote:

Update: ejabberd 2.1.9 and newer versions support SCRAM authentication. If you enable this in ejabberd.cfg, the passwords are stored hashed on the server (see EJAB-1196).

This may work for Mnesia but doesn't show up any effect whith MySQL storage.

But

why not store them encrypted and send them encrypted for the security that some of us desire / need. If i were a developer it doesn't see like it would be too hard to have ejabberd decrypt with md5 or password functions.

although to many people, the encryption is not that important, but to a few I'm sure the demand is growing.

could someone explain why this can't be done or hasn't been done. ;) not a big fan of it just hasn't or it just doesn't. haha

thanks in advance.

This may work for Mnesia but ...

badlop wrote:

Update: ejabberd 2.1.9 and newer versions support SCRAM authentication. If you enable this in ejabberd.cfg, the passwords are stored hashed on the server (see EJAB-1196).

This may work for Mnesia but doesn't show up any effect whith MySQL storage. Or is it possible, that I just made mistakes in my config? Should it really work for MySQL? (Using ebabberd 13.12)

A possible solution

Hi all,

Here's one possible workaround, barring tweaking of eJabberd internals. Note that this works with MySQL database implementation of eJabberd, but I'm sure it can be used against any system where we can set up an encryption trigger mechanism on the password field :)

1) Create an external authentication script, which will authenticate the user against the eJabberd database "users" table, where the passwords are encrypted with MD5.

2) Configure eJabberd to use the external authentication for authentication.

3) Add after-insert and after update triggers to the "users" table which will encrypt the password in MD5 whenever a record is inserted or updated. This ensures that the password management of the Jabber server will encrypt the passwords.

1) and 2) will take care of verifying user credentials against the "users" table.

please hash stored passwords

Quote:

why not store them encrypted and send them encrypted for the security that some of us desire / need. If i were a developer it doesn't see like it would be too hard to have ejabberd decrypt with md5 or password functions.

Encryption on the disk isn't the way to go, it would have to be symetric. Buy I also want to point out, why not use a hash algorithm to store the passwords? They won't be needed in cleartext for anything, they are just there for verification so the server doesn't need to know the passwords in plain ...

Why does it have to be an either-or and can't be both? I never saw the reasoning for why it can't be sent encrypted over the wire and stored hashed.

Syndicate content