Nice to get to hear this. However, the password is not stored in clear text here. How then does it work?
On Fri, Dec 21, 2018, 00:58 Joseph Tam <jtam.h...@gmail.com wrote: > On Thu, 20 Dec 2018, Odhiambo Washington wrote: > > > At the expense of sounding stupid, could you please expound on the > > sequence? :) > > In a nutshell, during protocol handshake, the server gives the client > a random string (nonce). Both the server and client performs a > cryptographic hash of nonce+password, and the client tells the server > the result of the hash, and the server compares the client's result with > its own. If the results match, it proves the client has knowledge of > the password. > > The strength relies upon cryptographics hashes not being invertible. > It's one way of protecting password from sniffing when you can't use SSL. > However, there's many weaknesses: the password must be kept on the server > in plaintext, offline brute forcing, etc. > > Joseph Tam <jtam.h...@gmail.com> >
