For a recent consulting job I was asked to improve the security of an Ejabberd server. Ejabberd provides you with the ability to use a MySQL Database instead of the build-in Mnesia database. All you have to is to download and compile the native MySQL Erlang Drivers and to setup a SQL Shema. One major security concern is that the erlang_auth_odbc module saves the user password in cleartext and not as a salted hash value (there's a good posting on this topic on Stackoverflow).

So I decided to rewrite this module to include a salted (static salt) SHA-256 hash. Using a specific salt for each password generation is advised but not necessary in my opinion. It requires a SHA Module written by Steve Vinoski <vinoski@ieee.org> which is marked obsolete but doesn't require Erlang R14B (successor module can be found on his blog).

If you have further questions or need to implement this behavior at your own system, feel free to contact me. And don't forget to subscribe to my newsletter.

The following code is based on ejabberd 2.1.2 (which is included in the current Ubuntu LTS Version "Lucid")