On Tue, 16 Oct 2001, Dylan Barrell wrote: > Digest Authentication requires that a server store its passwords in such a > way that they be available in clear text format. Actually though your implementation -could- store the password on disk as plain text - most do not; and it is technically not required. Some bad implementations do store it plain - but (for example) the apache web server stores the password as a hash (md5 or crypt) on the server side. See http://cvs.apache.org -> apache-1.3 -> src/support/htpasswd.c and src/support/htdigest.c to get an idea of the code). So it is not a requirement - just an implementation choise. It is true that with normal basic auth the password goes over the wire in the clear; but with digest auth this is not the case. DwReceived on Tuesday, 16 October 2001 14:02:14 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT