- From: Dave Kristol <dmk@allegra.att.com>
- Date: Fri, 14 Jul 95 14:51:04 EDT
- To: bradb@geom.umn.edu
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
bradb@geom.umn.edu (Brad Barber) said: > I'm glad to see that you are considering digest authorization > for HTTP. I noticed a few security holes that may be of > concern: > > - the server's digest database of H(<username> : <realm> : <password>) should > receive highest security. To the knowledgeable user, it is the same as > storing passwords in the clear. This is a weakness of the digest > method. The passwd file in UNIX that is used for "basic" authorization > may be released without compromising strong passwords. [...] I would like to propose that <password> be replace by H(<password>). The client would pass to the server H(<username> : <realm> : H(<password>)) The server could store in its user/password file user-name:H(<password>) That way the password would neither be passed in the clear nor stored in the clear. Dave Kristol
Received on Friday, 14 July 1995 12:42:04 UTC