[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
ralphs at blueairnetworks.com
Tue May 27 17:45:15 UTC 2003
Casey Crabb wrote:
> I don't think this is any more secure than just sha1(StreamID +
> password). What happens is that sha1(password) is
Seconded. I don't see how this improves security at all. You've just
taken a human-readable string (if its a lousy password) and made it a
little harder to read over someone's shoulder. It does not make it any
harder to sniff the password on the wire, or to programatically read it
out of the spool.
A far bigger problem IMHO is that of getting the initial "plain"
password to the server in the first place. The only viable solution
right now is to use a SSL connection. In which case the whole plain vs
digest argument becomes rather a moot point.
More information about the Standards