[Twisted-Python] PB and hashed passwords
Uwe C. Schroeder
uwe at oss4u.com
Fri Apr 23 01:06:10 MDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 22 April 2004 11:19 pm, Stephen Waterbury wrote:
> Uwe C. Schroeder wrote:
> > .... Maybe I don't get it, but where
> > is the sense in sending a password in cleartext over the wire to then md5
> > it on the "server" side ?
> > I'd rather md5 it on the client side and send the hash to be compared
> > against the password storage, which also stores a md5.
>
> That wouldn't make sense: if you send the passwd as md5 hash
> to be compared against itself stored as md5 hash, it's the
> same as sending the passwd cleartext, since you are effectively
> using the md5 hashed passwd *as* the passwd (and if anyone
> intercepts it they can use it directly to get access).
You got a point there, however assume you have a snooper in between, a md5
hash is much less suspicious/easy to filter
> The point of storing it on the server side as an md5 hash
> is that even if someone breaks in and steals the md5 hash
> of the passwd, they can't reverse the hash to get the
> cleartext passwd, and so they can't get in (since the
> checker checks the cleartext passwd [which came in over
> an encrypted channel] against the md5 hash).
Would be nice to have ssh with pb :-) Has anyone written that yet ? (don't ask
me to volunteer, i've got deadlines up to my neck)
UC
- --
Open Source Solutions 4U, LLC 2570 Fleetwood Drive
Phone: +1 650 872 2425 San Bruno, CA 94066
Cell: +1 650 302 2405 United States
Fax: +1 650 872 2417
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAiMBijqGXBvRToM4RAiBoAKCZPEONdSOh0hy4j2RlztvHSYtVewCg0UXF
wSB46b/ccmKNkAv+Tf9f8+E=
=Cf9A
-----END PGP SIGNATURE-----
More information about the Twisted-Python
mailing list