[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Ralph Siemsen ralphs at blueairnetworks.com
Tue May 27 17:45:15 UTC 2003


Casey Crabb wrote:

> I don't think this is any more secure than just sha1(StreamID +
> password). What happens is that sha1(password) is
> password-equivalent.

Seconded.  I don't see how this improves security at all.  You've just 
taken a human-readable string (if its a lousy password) and made it a 
little harder to read over someone's shoulder.  It does not make it any 
harder to sniff the password on the wire, or to programatically read it 
out of the spool.

A far bigger problem IMHO is that of getting the initial "plain" 
password to the server in the first place.  The only viable solution 
right now is to use a SSL connection.  In which case the whole plain vs 
digest argument becomes rather a moot point.

-R





More information about the Standards mailing list