E.S. Rosenberg wrote:
Since the hashing functions also exist on the client side what stops the protocols from basing the hash requested from the client on the _hash_ of the users' password?
They're not designed to do that. This isn't a difficult concept. Protocols are defined to have a certain behavior. You can't just randomly change the behavior, and expect the same results. All of the rest of your speculations are based on inexperience, and a lack of understanding of how these protocols work. We're not the ones who designed the protocols. We're not the ones who implemented the Microsoft, Apple, etc. side of the protocols. We're just explaining to you why your ideas won't work. There's no point in discussing changes on this list. For one, you don't know what changes to make, because you don't know how the protocols work. For two, we don't control the protocol design or their implementations. Alan DeKok.