http://qs1969.pair.com?node_id=153804


in reply to Re: Plaintext passwords?
in thread We blame tye.

Having the client hash the password before sending it over the wire is a start, but doesn't help much if the server isn't who the client thinks it is, since the attacker can just play back the password hash at the real server.
That's why HTTP digest authentication includes a variable "nonce" value. The server sends the nonce to the client when it first attempts to access the page. The client calculates the hash of the password and the nonce together, and sends that back to the server. The server verifies that the hash it recieved was calculated with a valid password and a nonce that was actually sent to that client recently.

If someone tries to replay an old password hash, the server won't accept it, because it won't have a valid nonce.

If the nonce used contains some (cryptographic) function of the time and the client's IP, you can avoid the problem of having to have the server remember which nonces are valid.

The problem, of course, is that the server has to have the password in plaintext so it can calculate the hash and see if it matches the one it got from the client.