On Thu, 2003-02-20 at 14:09, Gordon Messmer wrote: > On Thu, 2003-02-20 at 08:52, Matt Pavlovich wrote: > > No, no. Do the same challenge/response mechanism, but instead of using > > the clear password as the shared secret, use the SHA1 (or other) hash of > > the password. > ... > > The server never knows the clear password, and any man in the middle > > would need to know the hash of the password in order to break it.. which > > is the equal of needing to know the password in the current CRAM-* > > methods.. (maybe stronger as you may get the 'triple des effect'). > > You just worked out that storing the hash of the password in that case > is functionally the same as storing the original plain text password. > The security risk involved with storing the plain text password is that > instead of an attacker grabbing the password from the transmission, he > can get it from the server if he compromises that (The question is: > which is more secure, your server or your network?). If the server > stores and uses a hash of the password, an attacker can still steal the > hash and use that for authentication.
But the Matt proposed method still can protect MetaPasswords. POP3 MetaPassword = 'MyPassForSshIs:otherpassword' :) -- Eduardo Roldan <[EMAIL PROTECTED]> ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
