W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

Re: Digest Authentication

From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Date: Tue, 16 Oct 2001 20:01:46 +0200 (CEST)
To: Dylan Barrell <dbarrell@opentext.com>
cc: WebDAV <w3c-dist-auth@w3.org>
Message-ID: <Pine.BSF.4.05.10110161957290.7001-100000@kim.ispra.webweaving.org>


On Tue, 16 Oct 2001, Dylan Barrell wrote:

> Digest Authentication requires that a server store its passwords in such a
> way that they be available in clear text format.

Actually though your implementation -could- store the password on disk as
plain text - most do not; and it is technically not required. Some bad
implementations do store it plain - but (for example) the apache web
server stores the password as a hash (md5 or crypt) on the server side.

See http://cvs.apache.org -> apache-1.3 -> src/support/htpasswd.c and
src/support/htdigest.c to get an idea of the code).

So it is not a requirement - just an implementation choise.

It is true that with normal basic auth the password goes over the wire in
the clear; but with digest auth this is not the case.

Dw
Received on Tuesday, 16 October 2001 14:02:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT