Michael Ströder <[EMAIL PROTECTED]> writes: > But if the password checking is done with a challenge-response > mechanism (e.g. HTTP-Digest Auth or SASL with DIGEST-MD5) it's > required that the instance checking the password has the clear-text > password available. So reversible encryption for storing passwords > might be required.
If you're trying to authenticate network logins using passwords, and if you have control over both ends of the protocol but for some reason don't want to use a full-blown encryption scheme, it's far better to authenticate with something like SRP (http://srp.stanford.edu) than a more primitive method like HTTP digest auth. SRP doesn't require storing plaintext passwords, and more importantly, it protects the password from offline dictionary searches by someone sniffing the network connection. There is a Python SRP implementation embedded in TLSLite (www.trevp.com/tlslite) but it might be nice to extract or reimplement the SRP code so that it can be used separately from TLS. -- http://mail.python.org/mailman/listinfo/python-list
