On Sun, 7 Dec 2003, Arnt Gulbrandsen wrote:
I've been told that digest-md5 can be implemented without storing
cleartext passwords. Is that correct? I found an expired draft which
suggests that it's true in some circumstances (when the realm is not
sensitive).
As far as I know, the non-plaintext versions of DIGEST-MD5 secrets are
plaintext-equivalent for the realm in question. So, if the password file
is compromised, then that entire realm is compromised immediately, but
the vulnerability ends at that realm (other realms with the same password
are not compromised).
-Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski | Andrew Systems Group * Research Systems Programmer
PGP:0x5CE32FCC | Cyert Hall 207 * rjs3(_at_)andrew(_dot_)cmu(_dot_)edu *
412.268.7456
-----BEGIN GEEK CODE BLOCK----
Version: 3.12
GCS/IT/CM/PA d- s+: a-- C++++$ ULS++++$ P+++$ L+++(++++) E W+ N o? K-
w O- M-- V-- PS+ PE++ Y+ PGP+ t+@ 5+++ R@ tv-@ b+ DI+++ G e++ h r- y?
------END GEEK CODE BLOCK-----