Scott Palmer wrote:
> But you are correct, there are fairly easy things that can be done to
> fix it. E.g. store the hash of the plaintext password, issue a
> challenge from the server with a secure random number, the client
> responds with the result of hashing the password hash with the random
> number. The server checks that hashing the stored hash with the random
> number yields the same value. The data over the wire is random so
> sniffing doesn't help that much.
That doesn't solve (or even change) the problem. You just turned the
password from some easily-remembered number/word/phrase into a
fixed-length hexadecimal string. The server still stores "piece of data
a" and the client still uses "piece of data a" to respond to the
server's challenge. Wheter or not "piece of data a" is derived from or
is a hash of "piece of data b" is irrelevant.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Nov 15 23:40:27 2005