Subj : Question on User Data
To   : Digital Man
From : Feserenity
Date : Wed Feb 18 2026 12:12 am

  Re: Question on User Data
  By: Digital Man to Feserenity on Tue Feb 17 2026 07:45 pm

 > No, there's no mechanism for hashing or encrypting the passwords in the Synchronet userbase (today, that's data/user/user.tab). A one-way hash would be particularly tricky because Synchronet supports a bunch
 > of
 > digest-based authentication methods that all require different hashes of the password along with challenge/nonce/sale (so you need the original password to compute those).
 >
 > We could encrypt the passwords on disk (reversable to plaintext again, for the above stated reasons), but then you need to have/store a key to decrypt them somewhere and how is that any more secure than the
 > user.tab file? It's a can of worms that hasn't be worth dumping out and sorting through.

Thanks! Yeah that would make it tricky if supporting other Auth mechanisms that need to have their client-given hash + salt match the server-side password post hashing + salting. Hmmmm.... Yeah in that case is definitely a can of worms. And for sure encrypting them at rest is a nice idea but then if you have to decrypt them per login operation then the information is floating around on the server anyways to revert them back to plaintext.

Will go with the human-side solution for now and encourage folks to not use a password they don't want me to potentially see.

Thanks again!

.