On Saturday 09 January 2010 18:35:51 D. Richard Hipp wrote:
> I'm not familiar with that algorithm. Can you explain or provide a link? Do the same thing as at present, in that the client sends the password hashed and not in cleartext. The server takes that hashed value and the user name, hashes again (perhaps with a different algorithm) and compares to what it has stored. Neither the original password (stored in the local machine or entered by the user) nor the value sent on the wire (first hash) are stored in the server. I'm not a cryptographer so I don't know if there are stunning weaknesses in this algorithm, but it seems to me better than storing cleartext in the server file. -- Sending me something private? Use my GPG public key: AD29415D
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
