On Montag, 7. April 2008, Karl Fogel wrote:
> Duncan Booth <duncan.booth_at_suttoncourtenay.org.uk> writes:
> > That isn't the only option. For example you could store a hash locally
> > and transfer a hash of the hash. That way you still aren't sending the
> > stored value across the network (and you can use a challenge response
> > system to ensure the value which is sent is different every time) but if
> > the stored password is leaked the original plaintext password (which may
> > be being used for other systems too) isn't compromised.
>
> But then the stored hash becomes, effectively, the plaintext password,
> and we are still storing it locally.
>
> (Work it out, you'll see what I mean.)
I think the rational is that the plaintext password, which might be used in
other systems too, cannot easily be recovered from the (hopefully salted)
hash.
Regards,
Phil
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-07 12:41:20 CEST