On Tue, Nov 28, 2006 at 08:52:22AM -0800, jezzzz . wrote:
> I was wondering if we could protect against both.
> Sending a password encrypted would protect against
> eavesdropping. Once the password has been received,
> the hash of it is taken and compared with the hash of
> the password saved, so it also takes care of a local
> attacker.
Send an encypted password? Encrypted how, exactly? One common mistake is
to suggest to simply send the hash, as it is encrypted. But this merely
makes the hash a "password equivalent": An evesdroper can use the hash
to authenticate without knowing the password.
>
> I could certainly use SSL/TLS, but that still doesn't
> take care of a local attack to obtain the passwords of
> the users.
--
Tzafrir Cohen
icq#16849755 jabber:[EMAIL PROTECTED]
+972-50-7952406 mailto:[EMAIL PROTECTED]
http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
