Re: You're on SecurityFocus.com for the cleartext passwords.

on 5/6/00 2:40 PM, Vince Vielhaber at vev@michvhf.com wrote:

> Why should this work?  Because the next time the client tries to connect
> it will be given a different salt.   But why twice?  It seems that once
> would be enough since it's a random salt to begin with and the client
> should never be getting that salt twice.

No, the reason why you would have "two" hashes is so that the server doesn't
have to store the cleartext password. The server stores an already-hashed
version of the password, so the client must hash the cleartext twice, once
with a long-term salt, once with a random, one-time salt.

-Ben