On Tue, Nov 28, 2006 at 08:52:22AM -0800, jezzzz . wrote: > I was wondering if we could protect against both. > Sending a password encrypted would protect against > eavesdropping. Once the password has been received, > the hash of it is taken and compared with the hash of > the password saved, so it also takes care of a local > attacker.
Send an encypted password? Encrypted how, exactly? One common mistake is to suggest to simply send the hash, as it is encrypted. But this merely makes the hash a "password equivalent": An evesdroper can use the hash to authenticate without knowing the password. > > I could certainly use SSL/TLS, but that still doesn't > take care of a local attack to obtain the passwords of > the users. -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users