On Wed, Feb 19, 2003 at 04:37:48PM -0800, Gordon Messmer wrote: > Doesn't matter *how* you do the hashing. If the client always sends the > same thing, then it's sending the plain text password.
Absolutely - same problem with NT authentication (pre Kerberos). Anyway, that's why we have SSL :-) Hashed server-side + SSL = (vaguely) secure. Hell, even Basic Auth under HTTPS becomes tough :-) All this is a bit academic. If the server is compromised, you're toast anyway. If you use CRAM-stuff, then they just steal the cleartext passwords. If you have hashed passwords, then they just rewrite your app to log the cleartext password before doing the hash-test. Game over Man. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
