> First, plain text passwords are being used is places where they need not > be. For example the recent post about the Real Media server storing > plain text passwords. There is no reason for the server to store > plain text passwords. It can store a hash and authenticate users > against the hash. It's the old PAP versus CHAP debate. *YES*, there is reason for the realmedia server to store the password in plaintext (although it should still obfuscate it to prevent accidental viewing). I always like to compare the types of PPP authentication to show this: Method Client Wire Server ------ --------- --------- --------- PAP Clear Clear Encrypted CHAP Clear Encrypted Clear And I don't think we can do better than that. We can encrypt at only one stage of the process. We have to make a tradeoff. (Not that I'm saying RealMedia uses the CHAP model and encrypts over the wire. It probably doesn't, and if that it the case, then it is indeed stupid.) -Phil
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:48 PDT