Clear text password and MySQL
Joe Rhett
jrhett at isite.net
Tue Mar 16 17:13:49 EST 2004
On Wed, Feb 04, 2004 at 11:41:06AM -0800, Eric S. Pulley wrote:
> In this scenario you are still passing the SALT in clear text to the db
> but IMO this is much better than having your users logging in with
> plaintext passwords over an open network. Especially if your DB is on
> the same host as cyrus-imap since you can contain it to a socket and not
> use a network at all for the DB lookups.
So what is the gain here, really? I may be wrong, but I suspect that
you've confused yourself on what you are protecting. If you aren't using
TLS, then the password is going over the network in cleartext anyway.
If imapd is on a different host than the db, then the encrypted password
is going with the salt... so effectively cleartext.
--
Joe Rhett Chief Geek
JRhett at Isite.Net Isite Services, Inc.
---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list