Posted by Harlan Messinger on 01/09/08 21:36

Alexander Mueller wrote:
> Harlan Messinger wrote:
>>
>> But since the hash, not the password, is what gets access to the
>> application, how is this helpful?
>
> Please! Reread my initial posting, all your questions should be answered
> there. All advantages are listed there.
>
>> Having the value of a string called a "password" is not an end in
>> itself. The point is that the administrator has the data he needs to
>> get into the application.
>
> Its not about getting into an application. This is always possible. Its
> about protecting the password and preventing replay attacks.
>
>> And if you're talking about a situation where the administrator has
>> access to the application itself (this isn't a given, but you've just
>> added it to the scenario),
>
> It isnt a given? In most cases the Administrator has access to the
> application itself.

I mean "access" in the way we're using it to apply to anyone
else--access to *use* the application.

[Back to original message]