Authentication protocols that DO support hashed passwords

Phil Mayers p.mayers at imperial.ac.uk
Tue Nov 11 15:58:43 CET 2014


On 11/11/14 14:41, E.S. Rosenberg wrote:

> Since the hashing functions also exist on the client side what stops
> the protocols from basing the hash requested from the client on the
> _hash_ of the users' password?

Nothing "stops" the protocols doing that. They just don't, because they 
weren't very well designed.

You need to understand what people are telling you - designing a new, 
better protocol isn't the problem. EAP-PWD, or older protocols like SRP, 
have solved this problem.

The problem is updating the hundreds of millions of laptops, tablets, 
and mobile phones.

The problem is inertia. It's not a technical problem, and you can't look 
for technical solutions.


More information about the Freeradius-Users mailing list