On Thursday, December 16, 2004, Brad Greenlee wrote: > The original python version never actually sends the password in any > form; I believe it just uses it to hash the server url, which gets > passed as a parameter. The server then just hashes its own url with its > password to see if they match. I suppose I could try using crypt to do > the same, coming up with some way to derive a reasonable salt from the > password. Any suggestions? Hashing the server URL isn't much better though, as an attacker can still use the pre-hashed value to connect to the same server. Maybe hash the client IP+port? But then you get problems with NAT. You could also hash the query string.
I'd probably just stick with a plaintext password, since the program is just supposed to show that P2P in that little code is feasible. It doesn't have to address everything. - Karsten
