Prosody stores hashed passwords
Recently Prosody gained the ability to store passwords in a hashed form.
With the upcoming upgrade next weekend this feature will be enabled.
It’s an important change as a possible attacker wouldn’t be able to look at users passwords anymore even if he gained access to the server.
This is possible due to a new authentication mechanism called SCRAM. For the best possible security use a client that supports SCRAM (such support is already being added to most of the popular clients). In the meantime Prosody will allow clients to use the standard PLAIN mechanism, and perform the SCRAM calculations on the server side.
The code has been contributed by jefferai, thanks!