On Wed, 2003-02-19 at 14:21, Matt Pavlovich wrote: > It sounds as if CRAM-SHA1 does not send a derivation of a SHA1 hash of > the password and request a valid response from the server replying with > a derivation of the same SHA1 hash.
Right. If it did that, then the SHA1 hash that the client sent to the server would always be the same. If the hash is always the same, then it's "plain text". It can be sniffed and re-used, and there's no benefit to the hashing. ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
