[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Password Digest
UsernameToken Profile, working draft 4, 11/08/2003, Line 106-108 talks about digested password offers no additional security. Did I miss something here? The issue is not what is sent over the network; instead it is how the services side compares the password. If the clear text password is used, then the Services Provider has to store the clear text password for password validation. This is a security issue. Also, Line 119 Password_Digest = Base64(SHA-1(nonce + created + password)) has the same problem. In this case, the Service Provider unable to store hashed password, instead it has to store the clear text password in its database. This will create a big security issue. If the password digest change to the follow, then this issue goes away. Password_Digest = Base64(SHA-1(nonce + created + SHA-1(password))) Can this suggestion be considered? Eclouge Chang __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]