26 Mar
2017
26 Mar
'17
8:33 p.m.
Am 26.03.2017 um 19:22 schrieb Steinar Bang:
I worry less about the security of a password stored in a local file compared to the security of transferring the same password in cleartext over the wire, SSL or not.
A TLS secured communication ensures that authentication credentials aren't transmitted in plaintext, even if the SASL mechanism is PLAIN. So ensure that the certificates are validated and secure ciphers are used and you are on the safe side.
Why would you discredit TLS/SSL? That's not rational.
Basically it is bad practice to store credentials in plaintext on a server. Thus shared secret mechanism like CRAM-MD5 are not really a good choice.
Alexander