> You'd better not encrypt passwords on the client side - and there is no
> need to do so.
>
> So no Javascript, God forbid.
Actually, there is a reason to do this. The web page can contain a hash
function in Javascript (such as MD5) and a random "seed" string. Instead of the
password, the client returns MD5(seed + password). This hash is, essentially, a
one-time password and can be sent somewhat safely in the clear. It is subject
to dictionary attacks, however.
This method is the basis of "Digest" authentication. Digest authentication is
not supported by all of the popular browsers, and hence it is not really
available to use.
As Meghadri Ghosh pointed out, SSL is the best solution for transmitting
usernames and passwords. The only caveat is that strong SSL is not available to
everybody and hash functions are fully "exportable".
-- Charles
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
