On Dec 10, 2004, at 11:28 AM, Pedro Pais wrote:
But why isn't the password stored in the passwd/mysql using CRAM-MD5
format? That way you could always check it. It wouldn't matter if the
client authenticated using plain or using CRAM-MD5. You could even
double cypher the password using mysql PASSWORD().
a) Client authenticates using plain username/password Create CRAM-MD5
from those tokens and check with the password stored.
b) Client authenticates usign CRAM-MD5 username/password. Directly
compare with the stored password.

Am I missing something important in here?

Every time the client authenticates, it uses a different challenge (issued by the server) to encode the response. CRAM-MD5 works in a way that if you and I both know the cleartext password (secret), we can both generate the same response to the common challenge. You can tell me the response, and I can verify whether you know the password, but someone overhearing our conversation can't determine the actual password.

If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it.

Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/

Reply via email to