On 15-Nov-05, at 5:38 PM, Mark Parker wrote:
> Scott Palmer wrote:
>> But you are correct, there are fairly easy things that can be done
>> to fix it. E.g. store the hash of the plaintext password, issue
>> a challenge from the server with a secure random number, the
>> client responds with the result of hashing the password hash
>> with the random number. The server checks that hashing the
>> stored hash with the random number yields the same value. The
>> data over the wire is random so sniffing doesn't help that much.
>
> That doesn't solve (or even change) the problem. You just turned
> the password from some easily-remembered number/word/phrase into a
> fixed-length hexadecimal string. The server still stores "piece of
> data a" and the client still uses "piece of data a" to respond to
> the server's challenge. Wheter or not "piece of data a" is derived
> from or is a hash of "piece of data b" is irrelevant.
Ultimately yes. I was only solving the issue of easily readable
plaintext passwords. So, for example the administrator could look at
the file without accidentally reading the private passwords of the
users.
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Nov 15 23:56:40 2005