Posted by Sanders Kaufman on 11/21/07 19:58

"C. (http://symcbean.blogspot.com/)" <colin.mckinnon@gmail.com> wrote in
message news:f41b190d-7b7b-482c-9bee-
> On 20 Nov, 16:52, The Natural Philosopher <a...@b.c> wrote:

> Maybe he just means a challenge based hash system to avoid sending
> passwords in clear text. Or maybe he means CHAP as implemented in PPP,
> or maybe he means CHAP as implemented by Microsoft for PPP.
>
> In the case of the former, see
> http://groups.google.co.uk/group/comp.lang.php/browse_thread/thread/c5960aa0afac2621/4993d290eb78f811?hl=en&lnk=gst&q=MD5+salt

In my experience, when a non-techie customer says something like that, it's
because someone somewhere told them CHAP was important, and it just got
stuck in their craw.
It's usually not wise to try to "correct" them.
The best way to deal with something like that is to ensure that you do
perform some kind of Challenge/Authentication; call it a "protocol"; and
explain that you're already on the right track with their state goal.

It accomlishes several things.
1. It reassures them that they have not been duped by previous contractors.
2. It reassures them that you are not trying to dupe them.
3. It meets the spec, rather than trying to change the spec.

That last one is VERY important.

[Back to original message]