But why isn't the password stored in the passwd/mysql using CRAM-MD5 format? That way you could always check it. It wouldn't matter if the client authenticated using plain or using CRAM-MD5. You could even double cypher the password using mysql PASSWORD(). a) Client authenticates using plain username/password Create CRAM-MD5 from those tokens and check with the password stored. b) Client authenticates usign CRAM-MD5 username/password. Directly compare with the stored password.
Am I missing something important in here?
Every time the client authenticates, it uses a different challenge (issued by the server) to encode the response. CRAM-MD5 works in a way that if you and I both know the cleartext password (secret), we can both generate the same response to the common challenge. You can tell me the response, and I can verify whether you know the password, but someone overhearing our conversation can't determine the actual password.
If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it.
-- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/