Peter Tillotson wrote: > simplest approach is to 1 way hash the password ... perhaps using md5 > No, it isn't - see below.
> normally with passwords the server only has to check if it is the same > word, assuming the same hash algorithms the same hash value can be > created at client. > Unfortunately this means that the client sends the same string every time the user authenticates. > Its not hugely secure ... anyone sniffing can grab your hash value and > then try to crack it at their leisure. It would be better to communicate > over ssl. > It's not even that secure: all they have to do is replay the data sniffed from the server and they too can authenticate themselves. They don't have to know what the plain-text password is. > Anyone know of a simple ssl api in python :-) > A safer way would be to use some sort of challenge-response mechanism, where the server presents a challenge C to the client, which then computes some function of both C and the plain-text password provided by the user. The server then authenticates by performing the same computation on C and the known password. As long as the server uses a different challenge each time then this is at least secure from replay attacks. But this scheme does have the weakness that the server must know the password of each user. For something even more secure, look at OPIE and similar schemes. But let's not forget that all these schemes only secure the authentication exchange: they do nothing to protect application data. regards Steve > dcrespo wrote: > >>Hi all, >> >>I have a program that serves client programs. The server has a login >>password, which has to be used by each client for logging in. So, when >>the client connects, it sends a string with a password, which is then >>validated on the server side. The problem is obvious: anyone can get >>the password just sniffing the network. >> >>How can I solve this? >> >>Daniel >> -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC www.holdenweb.com PyCon TX 2006 www.python.org/pycon/ -- http://mail.python.org/mailman/listinfo/python-list
