Stephen Frost <[EMAIL PROTECTED]> writes:
> With the 'md5' method the server will send will send a randomly
> generated salt to the client which will then concatenate the user's name
> to the password, perform an md5 on that result, then concatenate the
> result of the md5 to the salt provided by the server and will then md5
> that.
I think that in this case calling it a salt altogether is wrong. It's a
"challenge".
And I'm inclined to suggest that this authentication method be removed
altogether. The security flaw is that it exists at all. Not the details of the
implementation.
--
greg
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
