Hi,
I've had a look at your patch, and I've noticed a couple of security
holes... If your only desire is to prevent eavesdropping of passwords, I
suggest you use SSL, as this is a system that actually works (if used
correctly).
Although it has limitations, some people want this feature. I'm
Doug's analysis of the patch is right on, but he doesn't go far enough.
1. The author of the patch clearly thinks that security consists of
sprinkling magic SHA-1 HMAC challenge response pixie dust over the code
in a random fashion. This means that any revised patch must be viewed
with