Posted by Jeff on 01/09/08 18:41

Alexander Mueller wrote:
> J.O. Aho wrote:
>>
>> As you mentioned your system would prevent the administrator from
>> knowing your
>> password, then the password has to be hashed already at the site, and
>> therefore the hashing has to be the the same in the form as on the
>> site, or
>> else you would always fail the login or the site has to spend long
>> time with
>> cracktools to be able to find out the password and then has it the way
>> it's
>> hashed on the site.
>
> Sorry I dont really know what you are exactly meaning.

I think he's talking about the salt. Do you pass the salt with the
form submit, if you do, what is the security advantage?

All this looks a bit like unix password encryption where no one knows
the password, only if it is wrong. What would the application be?

Jeff
>
> Again, please reread my initial posting, I guess everything should be
> clear then :). The system wouldnt know the plain text password (which it
> doesnt need) but only the hash code. This can then be compared to the
> stored hash code. The only difference is the computation of the hash
> happens locally - no brute force, no same passwords.
>
> Alexander

[Back to original message]