On Thu, Jun 07, 2001 at 12:00:44AM +0500, Hannu Krosing wrote:
Afaik, the only bad behaviour from hashing (_not_ encrypting) the passwords would be the impossibility to use password verification methods that don't send cleartext passwords over the wire (challenge-response password exchange).
The "PHPlib" package for PHP provides a challenge-response authentication scheme where the browser runs a javascript function to hash the user-supplied password value before sending it as form data. If javascript is disabled or not available, the clear-text password is sent instead and the value hashed at the server to match against the stored value. -- Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312 Principal Consultant www.OntoSys.com fax: +1.630.879.1370 OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA