On Monday, May 4 2009 08:24:31 Diez B. Roggisch wrote: > I don't think so. Of course having all these informations, a man in the > middle can perform a login. > > But first of all - the algorithm is MD5. It's irrelevant if he has the > source-code, it must be the same outcome for any md5-implementation.
It's not MD5; it's another algorithm, which uses MD5. > And the more important thing: he doesn't have the clear-text-password, > which would potentially allow to login on other sites as well, even if > these use different hashing algorithms or salts. > I'm by far not a cryptographer, but at least sending hashes over the > wire makes things a lot harder. "harder", compared to plain text passwords, yes. But that it's "hard" is not a rule of thumb -- there are other factors that come into play. For example, transmitting the MD5 hash for a password can be as risky as transmitting the password itself, thanks to rainbow tables (e.g., gdataonline.com). It's hashed, but anyone with a browser could get the original password or an equivalent. Cheers, - Gustavo. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
