On Mon, 12 Mar 2001, GOMEZ Henri wrote:
> >The problem with this approach is that, without a
> >challenge-response, having the MD5 digest of the password is
> >as good as having the password.
>
> What is the challenge-response ?
>
> The MD5/SHA1 digest is good over secure line.
>
> 1) Store in DB or LDAP only the MD5 digest of user password
> 2) Use SSL from browser to httpd/tomcat server.
> 3) Send on the SSL link, user log and md5 password and check
> in servlet/JSP that for that user the password (md5) and
> the DB/LDAP content are the same.
If you are using SSL then why even bother hashing the password? I think
the original poster said he/she could not use SSL (but I may be mistaken).
Joe Laffey
LAFFEY Computer Imaging
St. Louis, MO
----------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
