On Mon, 12 Mar 2001, DONNIE HALE wrote:
> The problem with this approach is that, without a challenge-response, having the MD5
>digest of the password is as good as having the password.
>
> Donnie
>
> >>> [EMAIL PROTECTED] 03/12/01 10:05AM >>>
> You could also use a little javascript to send
> password coded with md5 and verify in servlet the
> password for this user via md5 is equal to the
> password string you received :
>
> ie: http://pajhome.org.uk/crypt/md5/index.html
>
Of course, you have the server send a random number (or better a date,
since it will never repeat). The hash is applied to the password combined
with the date. This gets sent to the server and the server know what it
sent out so it can calculate what the hash value should be.
This is how APOP works. THis, naturally, does nothing to conceal the DATA
in transit, but it does a fairly decent job (though not infallable) of
concelaing the password.
Joe Laffey
LAFFEY Computer Imaging
St. Louis, MO
----------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
