November 15: Deactivation of DIGEST-MD5 authentication
Nov. 11, 2014, 11:53 a.m. by mati
We will disable DIGEST-MD5 for all our domains on Saturday, November 15. DIGEST-MD5 is an old insecure authentication mechanism and the reason we still store passwords in plain text. We don't really know how many users might be affected, so please contact us if you have any problems connecting on or after November 15. We consider this step a trial-run and might enable DIGEST-MD5 again if to many users report (unfixeable) problems. Technical background: DIGEST-MD5 is the original SASL authentication mechanism in the Jabber protocol. Besides using weak hashes, it requires passwords to be available in plain text on both the server and the client. SCRAM-SHA1 is much more secure and would enable us to store securely hashed passwords. But hashing passwords is by definition irreversible, so once we store passwords this way, there is no turning back. By disabling DIGEST-MD5 (what we will do on November 15), we will offer the same authentication mechanisms as if we had SCRAM-SHA1 hashes stored already. Of course, our idea is to convert to SCRAM-SHA1 hashes if there aren't too many problems with turning off DIGEST-MD5.