Agreed. I don't think this solution works for everyone. Though from that post it seems that unless the site is using SRP the password is going in clear-text over the wire (SSL) for sites that store salted hashes. (I just used Live HTTP headers to verify a major online service provider and this is the case. The password is in clear-text over SSL) If the site uses something like a netscaler to offload their SSL, then the clear-text password is in the clear inside the company's network. Hopefully, most sites using this scheme make sure the password is specified in a POST to ensure it's not being stored in clear-text in the server's log files:)
Thanks, George Brian Eaton wrote: > On Wed, Jan 28, 2009 at 6:41 PM, George Fletcher <[email protected]> wrote: > >> The request is only valid if the receiving >> authentication system can generate the signature using the password for >> that user. >> > > Lots of authentication servers can't do that, because they do not keep > a clear-text version of the user's password. Instead they store a > salted hash. > > I love Thomas Ptacek's summary of password storage schemes: > http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/ > > > > > -- Chief Architect AIM: gffletch Identity Services Work: [email protected] AOL LLC Home: [email protected] Mobile: +1-703-462-3494 Office: +1-703-265-2544 Blog: http://practicalid.blogspot.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
