[Twisted-Python] PB and hashed passwords

Stephen Waterbury golux at comcast.net
Fri Apr 23 02:19:46 EDT 2004

Uwe C. Schroeder wrote:

> .... Maybe I don't get it, but where 
> is the sense in sending a password in cleartext over the wire to then md5 it 
> on the "server" side ?
> I'd rather md5 it on the client side and send the hash to be compared against 
> the password storage, which also stores a md5.

That wouldn't make sense:  if you send the passwd as md5 hash
to be compared against itself stored as md5 hash, it's the
same as sending the passwd cleartext, since you are effectively
using the md5 hashed passwd *as* the passwd (and if anyone
intercepts it they can use it directly to get access).

The point of storing it on the server side as an md5 hash
is that even if someone breaks in and steals the md5 hash
of the passwd, they can't reverse the hash to get the
cleartext passwd, and so they can't get in (since the
checker checks the cleartext passwd [which came in over
an encrypted channel] against the md5 hash).

Clear as mud?  :)

- Steve

More information about the Twisted-Python mailing list