Greg Stark wrote:
> Stephen Frost <sfrost@snowman.net> writes:
>
> > With the 'md5' method the server will send will send a randomly
> > generated salt to the client which will then concatenate the user's name
> > to the password, perform an md5 on that result, then concatenate the
> > result of the md5 to the salt provided by the server and will then md5
> > that.
>
> I think that in this case calling it a salt altogether is wrong. It's a
> "challenge".
>
> And I'm inclined to suggest that this authentication method be removed
> altogether. The security flaw is that it exists at all. Not the details of the
> implementation.
That idea is so detached from reality, I don't know how to respond.
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square,
Pennsylvania19073