RE: Summary of Responses to Passwords in the Clear from Web SCWorking Group from Dan Connolly on 2008-04-10 (www-tag@w3.org from April 2008)

From: Dan Connolly <connolly@w3.org>
Date: Thu, 10 Apr 2008 10:11:48 -0500
To: Marc de Graauw <marc@marcdegraauw.com>
Cc: 'David Orchard' <dorchard@bea.com>, www-tag@w3.org
Message-Id: <1207840308.30248.217.camel@pav.lan>

On Thu, 2008-04-10 at 15:54 +0200, Marc de Graauw wrote:
> Dan Connolly:
> 
> | > The bulk of Chris Drake's message:
> | [... seems to be about dictionary attacks ...]
> | 
> | OK, but how is SSL not vulnerable to the same dictionary attacks?
> 
> SSL uses large random numbers to establish a session, Chris's argument is
> against using hashes of non-random (even trivial) passwords.

Digest uses a nonce similarly, no?



-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E

Received on Thursday, 10 April 2008 15:12:15 UTC