- From: John Keiser <jkeiser@netscape.com>
- Date: Mon, 18 Nov 2002 11:51:03 -0800
- To: Goetz Bock <bock@blacknet.de>
- CC: www-forms@w3.org
- Message-ID: <3DD944A7.8000101@netscape.com>
Goetz Bock wrote: >On Sun, Nov 17 '02 at 12:35, John Keiser wrote: > > >>I think the bottom line here is, MD5 is not enough but we need an MD5 >>function so that we can hash the password so that it will match the one >>in the database before doing another, more secure hash based on >>server-supplied text, like HMAC (thanks John). >> >> >Just to tel you again: using MD5 on the password will not gain you >anything. MD5ing a password to match it against an MD5-hash stored in >the database is *WORSE* than sending the plaintext password (It's worse >because it gives a false sence of security). >And using HMAC wont help either. > > Why do you think HMAC won't help? I think you're laboring under a misapprehension about what it is. Please help me understand. Regarding MD5, just to tell you again: using MD5 is necessary because many servers store the password as MD5. That does not mean we're going to send the MD5 sum across. I am proposing something more like this: 1. Server supplies random text to browser 2. Browser sends back HMAC(sha1|md5, serverText, MD5(userPassword)) 3. Server can do HMAC(sha1|md5, serverText, md5PasswordStoredInDatabase) and compare if equal Regardless, it would be good to have something simple that allows us to match against MD5 passwords, whether we piggyback on HMAC or over XML sigs. >Face it. youre not going to add ANYTHING to html anymore. html has been >deploied and it's impossible to fix anything, now or in the future. > > I'm talking about adding these to XPath. --John
Received on Monday, 18 November 2002 14:51:37 UTC