bradb@geom.umn.edu (Brad Barber) said: > I'm glad to see that you are considering digest authorization > for HTTP. I noticed a few security holes that may be of > concern: > > - the server's digest database of H(<username> : <realm> : <password>) should > receive highest security. To the knowledgeable user, it is the same as > storing passwords in the clear. This is a weakness of the digest > method. The passwd file in UNIX that is used for "basic" authorization > may be released without compromising strong passwords. [...] I would like to propose that <password> be replace by H(<password>). The client would pass to the server H(<username> : <realm> : H(<password>)) The server could store in its user/password file user-name:H(<password>) That way the password would neither be passed in the clear nor stored in the clear. Dave KristolReceived on Friday, 14 July 1995 12:42:04 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:23 EDT