On 05 Jan 2003 18:48:01 -0500 "David E. Storey" dave@tamos.net wrote:
While digest-md5 is fairly secure from a transport perspective, it's a nightmare on the server side. In order for it to work, you've got to store account passwords in plain text on the server. In my opinion, this is "plain" wrong. (pun intended) Passwords should be hashed: even for closed systems. The fallacy lies with the wetware and people tend to
Umm, forgive me, but as I understand DIGEST-MD5, it does store hashed. Are you thinking of CRAM-MD5? As far as I know, that requires plain-text storage on the server, and I agree with your criticisms. I happen to like DIGEST-MD5 because it looks like someone finally came along and got the SASL auth mechanism right.
But perhaps I'm the one that's mistaken.
Amy!
Amelia A. Lewis amyzing {at} talsever.com Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise. -- The Duchess [Lewis Carroll]