[JDEV] New Secure Authentication Mechanism
Sami Haahtinen
ressu at ressukka.net
Mon May 20 14:04:10 CDT 2002
On Sun, May 19, 2002 at 10:47:52AM -0600, David Waite wrote:
> Nah, the server does not need to store the password, it just needs to
> store the password verifier as a number, which (assuming standard 'g'
> and 'N') is g^(SHA(salt+ SHA(username+ ':' + password)) % N.
and this would effectively make it specific to this service (it's not
possible to reuse the passwords for anything else)
don't get me wrong, this would make the authentication itself more
secure, and the passwords secure if _all_ applications that use the
passwords use the same method (which is unlikely to happend)
Sami
--
-< Sami Haahtinen >-
-[ Is it still a bug, if we have learned to live with it? ]-
-< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >-
More information about the JDev
mailing list