[clug] A Question About Password Handling and Authentication Mechanisms
bradh at frogmouth.net
Wed Nov 26 00:11:18 MST 2014
On Tue, 25 Nov 2014 04:36:18 PM jm wrote:
> I've been meaning to look into/ask if there exists a challenge-response
> mechanism for passwords where the password doesn't have to be stored in
> plain text or in a recoverable form, ie it can be stored using a
> cryptographic hash. In fact, no where is the password stored or
> transmitted over a channel in a recoverable form. Does anyone know of
> such a beast?
Probably lots. Digest auth is one example:
Unless you've got a strong background and peer review of your auth mechanism,
please don't invent one. Its very easy to make a mistake that renders the
whole thing worthless and not realise it. Also interoperability is already
hard enough without adding more options.
More information about the linux