[clug] A Question About Password Handling and Authentication Mechanisms

Brad Hards bradh at frogmouth.net
Wed Nov 26 00:11:18 MST 2014

On Tue, 25 Nov 2014 04:36:18 PM jm wrote:
> I've been meaning to look into/ask if there exists a challenge-response
> mechanism for passwords where the password doesn't have to be stored in
> plain text or in a recoverable form, ie it can be stored using a
> cryptographic hash. In fact, no where is the password stored or
> transmitted over a channel in a recoverable form. Does anyone know of
> such a beast?
Probably lots.  Digest auth is one example: 

Unless you've got a strong background and peer review of your auth mechanism, 
please don't invent one. Its very easy to make a mistake that renders the 
whole thing worthless and not realise it. Also interoperability is already 
hard enough without adding more options.


More information about the linux mailing list