Authentication Problem
Odhiambo Washington
odhiambo at gmail.com
Fri Dec 21 00:05:19 EET 2018
Nice to get to hear this. However, the password is not stored in clear text
here. How then does it work?
On Fri, Dec 21, 2018, 00:58 Joseph Tam <jtam.home at gmail.com wrote:
> On Thu, 20 Dec 2018, Odhiambo Washington wrote:
>
> > At the expense of sounding stupid, could you please expound on the
> > sequence? :)
>
> In a nutshell, during protocol handshake, the server gives the client
> a random string (nonce). Both the server and client performs a
> cryptographic hash of nonce+password, and the client tells the server
> the result of the hash, and the server compares the client's result with
> its own. If the results match, it proves the client has knowledge of
> the password.
>
> The strength relies upon cryptographics hashes not being invertible.
> It's one way of protecting password from sniffing when you can't use SSL.
> However, there's many weaknesses: the password must be kept on the server
> in plaintext, offline brute forcing, etc.
>
> Joseph Tam <jtam.home at gmail.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20181221/49fad9e8/attachment.html>
More information about the dovecot
mailing list