Thank you Ryan. So there's no way around that? I.e. Is there a strategy that can alleviate that?
On Mon, Nov 30, 2015 at 4:34 PM, Ryan Tandy <[email protected]> wrote: > On Mon, Nov 30, 2015 at 02:20:44PM -0500, Rich Alford wrote: > >> Theoretically, the password should be hashed on the client, sent across >> the network, to be compared against the hashed passwords in the database. >> > > The client has no idea how the server stores or hashes passwords. The > server might not even store them directly, but could be passing them to a > third party (f.ex. a Kerberos KDC) for verification. So the client sends > the password to the server in the clear (but protected by TLS), and the > server verifies the password however it's configured to, in your case by > hashing it and comparing the hash to the stored hash. >
