On 8 July 2010 11:46, Andre Majorel <aym-2lqsgp@teaser.fr> wrote:
> The doc says « if you are at all concerned about password
> "sniffing" attacks then md5 is preferred. » but does not say why.
> It would seem that an MD5 hash can be sniffed and replayed just as
> well as a clear-text password.
>
> Maybe the doc needs to explain why "md5" is more secure than
> "password". Or, if it isn't, say so.
>
I believe the client hashes the password using MD5 and a salt, the
latter part being a random one sent to the client by the server, so
sniffing the password would be useless as you would have to have
sniffed the salt (strange phrase but there you go), have sniffed the
password, *and* be asked for exactly the same salt by the server
again.
I'm sure that's mentioned in the docs somewhere, although not on the
normal authentication page.
Thom