Closed Oreolek closed 5 years ago
violoncelloCH
commented
5 years ago let's treat this as an enhancement request, not a bug, because the current implementation works well for it's use case... may I ask, what is the advantage of having unsalted passwords?
@sebastiansterk could you take a look at this, because you've implemented the prosody backend...?
Oreolek
commented
5 years ago No advantage but it's the default setting for prosody at the moment.
violoncelloCH
commented
5 years ago okay thanks for clarifying @Oreolek @sebastiansterk are you somewhere around?
sebastiansterk
commented
5 years ago yes i will take a look at it
sebastiansterk
commented
5 years ago @violoncelloCH Just prepared a potential feature for validating plaintext passwords. Tomorrow I try to test it and finish everything. Will keep you updated.
@ore
No advantage but it's the default setting for prosody at the moment.
Afaik the default setting for prosody is internal_hashed. Reference: https://prosody.im/doc/authentication This means that you must explicitly activate the option to save user passwords in plain text, since it's stored securely by default.
In the meantime, we should think about whether we (nextcloud and user_external devs) really want to support this insecure way of storing passwords. In my opinion, passwords should never be stored in plain text.
violoncelloCH
commented
5 years ago thanks for looking into this @sebastiansterk !
In the meantime, we should think about whether we (nextcloud and user_external devs) really want to support this insecure way of storing passwords. In my opinion, passwords should never be stored in plain text.
That's a good question. On the other hand Prosody shouldn't be supporting plain text storing. We as user_external devs can also just aim for supporting the best interoperability... In the end it's the admin who is responsible for his setup... What we should do in any case is a warning / advice...
Prosody allows you to have unsalted passwords, this plugin doesn't.