[Twisted-Python] PB and hashed passwords

Uwe C. Schroeder uwe at oss4u.com
Fri Apr 23 03:06:10 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 22 April 2004 11:19 pm, Stephen Waterbury wrote:
> Uwe C. Schroeder wrote:
> > .... Maybe I don't get it, but where
> > is the sense in sending a password in cleartext over the wire to then md5
> > it on the "server" side ?
> > I'd rather md5 it on the client side and send the hash to be compared
> > against the password storage, which also stores a md5.
>
> That wouldn't make sense:  if you send the passwd as md5 hash
> to be compared against itself stored as md5 hash, it's the
> same as sending the passwd cleartext, since you are effectively
> using the md5 hashed passwd *as* the passwd (and if anyone
> intercepts it they can use it directly to get access).

You got a point there, however assume you have a snooper in between, a md5 
hash is much less suspicious/easy to filter

> The point of storing it on the server side as an md5 hash
> is that even if someone breaks in and steals the md5 hash
> of the passwd, they can't reverse the hash to get the
> cleartext passwd, and so they can't get in (since the
> checker checks the cleartext passwd [which came in over
> an encrypted channel] against the md5 hash).

Would be nice to have ssh with pb :-) Has anyone written that yet ? (don't ask 
me to volunteer, i've got deadlines up to my neck)

	UC

- --
Open Source Solutions 4U, LLC	2570 Fleetwood Drive
Phone:  +1 650 872 2425		San Bruno, CA 94066
Cell:   +1 650 302 2405		United States
Fax:    +1 650 872 2417
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAiMBijqGXBvRToM4RAiBoAKCZPEONdSOh0hy4j2RlztvHSYtVewCg0UXF
wSB46b/ccmKNkAv+Tf9f8+E=
=Cf9A
-----END PGP SIGNATURE-----





More information about the Twisted-Python mailing list