Posted by Harlan Messinger on 01/09/08 19:08

Alexander Mueller wrote:
> J.O. Aho wrote:
>>
>> As you mentioned your system would prevent the administrator from
>> knowing your
>> password, then the password has to be hashed already at the site, and
>> therefore the hashing has to be the the same in the form as on the
>> site, or
>> else you would always fail the login or the site has to spend long
>> time with
>> cracktools to be able to find out the password and then has it the way
>> it's
>> hashed on the site.
>
> Sorry I dont really know what you are exactly meaning.
>
> Again, please reread my initial posting, I guess everything should be
> clear then :). The system wouldnt know the plain text password (which it
> doesnt need) but only the hash code.

OK, so the password has been left out of the server side entirely.
Instead, to access the application you need the hash value, and the
server administrator has access to *that*. So just substitute the word
"password" for the word "hash" and the server administrator is now able
to intercept the value of the hash that will give him access to the
application.

The point of an application storing a hash instead of the original
password is that it only accepts the password for authentication,
computing its hash when the it's provided and comparing it with the hash
it has in its user lookup table. If someone hacks the user table and
finds the hashes, it won't do the hacker any good because the
application doesn't provide any interface for accessing the system by
providing the hash directly. If the hacker submits the hash as though
it were the password, the application will hash the hash, and the
computed rehash won't match the stored hash. The application has to see
the password itself before it will grant access.

[Back to original message]