On Wed, Jan 28, 2009 at 6:41 PM, George Fletcher <gffle...@aol.com> wrote: > The request is only valid if the receiving > authentication system can generate the signature using the password for > that user.
Lots of authentication servers can't do that, because they do not keep a clear-text version of the user's password. Instead they store a salted hash. I love Thomas Ptacek's summary of password storage schemes: http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---