Fred Yankowski wrote:
On Thu, Jun 07, 2001 at 12:00:44AM +0500, Hannu Krosing wrote:
Afaik, the only bad behaviour from hashing (_not_ encrypting) the passwords would be the impossibility to use password verification methods that don't send cleartext passwords over the wire (challenge-response password exchange).
The "PHPlib" package for PHP provides a challenge-response authentication scheme where the browser runs a javascript function to hash the user-supplied password value before sending it as form data. If javascript is disabled or not available, the clear-text password is sent instead and the value hashed at the server to match against the stored value.
Just sending a hashed value does not make it any more secure, as said hashed value is as easy to sniff as plaintext. to have a real challenge response, something like the following must be done: SERVER: generates a random string RS and sends RS to client CLIENT: MD5(password+RS) and sends this back to server SERVER: compares hash sent by client to locally computed MD5(password+RS) for this to work the server needs to know the plaintext password -------------- Hannu