11 Nov
2014
11 Nov
'14
9:58 a.m.
On 11/11/14 14:41, E.S. Rosenberg wrote:
Since the hashing functions also exist on the client side what stops the protocols from basing the hash requested from the client on the _hash_ of the users' password?
Nothing "stops" the protocols doing that. They just don't, because they weren't very well designed. You need to understand what people are telling you - designing a new, better protocol isn't the problem. EAP-PWD, or older protocols like SRP, have solved this problem. The problem is updating the hundreds of millions of laptops, tablets, and mobile phones. The problem is inertia. It's not a technical problem, and you can't look for technical solutions.