<quote name="Steve Morrey" date="Sun, 16 Mar 2008 at 11:14 -0600"> > The reason is pretty simple. > Even if you hash the hash, you are still sending the authentication > token that the server cares about, in plain text across the internet. > This could allow for a replay attack. Nothing can prevent that except > for implementing SSL at least on the authentication page.
Indeed, sending the hashed password is no more secure. We call this "password equivelant". As for hashing the hash, there is nothing at all wrong with this, and it does not in any way, shape, or form increase collisions. These days Unix uses the 1000th hash of your password, the thought being to increase the time required to brute force by 1000 times. Von Fugal -- Freedom is Popular! http://www.ronpaul2008.com
signature.asc
Description: Digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
