Authentication protocols that DO support hashed passwords
Phil Mayers
p.mayers at imperial.ac.uk
Tue Nov 11 15:58:43 CET 2014
On 11/11/14 14:41, E.S. Rosenberg wrote:
> Since the hashing functions also exist on the client side what stops
> the protocols from basing the hash requested from the client on the
> _hash_ of the users' password?
Nothing "stops" the protocols doing that. They just don't, because they
weren't very well designed.
You need to understand what people are telling you - designing a new,
better protocol isn't the problem. EAP-PWD, or older protocols like SRP,
have solved this problem.
The problem is updating the hundreds of millions of laptops, tablets,
and mobile phones.
The problem is inertia. It's not a technical problem, and you can't look
for technical solutions.
More information about the Freeradius-Users
mailing list