On Fri, Jul 06, 2001 at 09:32:36PM -0000, gregory duchemin wrote: [snip] > the hash creation process is as follow: > ====================================== > > say user toto has a password "titan" > then his client generate the string "yyyyyyyyy.yyyyyyyyytitan" and the > according MD5 hash, say xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. > the client send MD5(yyyyyyyyy.yyyyyyyyytitan) on the wire. This is the exact same thing APOP does - server sends a string, client appends password to string, takes MD5 hash and sends back. If your cracker is what you say it is (I haven't checked) then APOP should be just as vulnerable. Greetz, Peter -- Against Free Sex! http://www.dataloss.nl/Megahard_en.html
This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 18:06:46 PDT