|
|
Posted by J.O. Aho on 01/09/08 18:27
Alexander Mueller wrote:
> J.O. Aho wrote:
>> The has type will always be
>> the same for a site, as the passwords will always be stored in that
>> type, a
>> site that uses md5 hashed passwords will never request a sh1 hashed
>> password,
>> as then they can't validate the password is correct.
>
> I never talked about a mixture of hash types.
>
> It is about the secure transmission. The hash for a password will never
> be the same for a site but only for identical passwords (which is a
> required behaviour).
As you mentioned your system would prevent the administrator from knowing your
password, then the password has to be hashed already at the site, and
therefore the hashing has to be the the same in the form as on the site, or
else you would always fail the login or the site has to spend long time with
cracktools to be able to find out the password and then has it the way it's
hashed on the site.
--
//Aho
[Back to original message]
|