The password is hashed with a nonce (a random, one use, string called challenge). Here's the javascript straight from the login page: var passwd = form.passwd.value; var hash1 = MD5(form.passwd.value); var challenge = form[".challenge"].value; var hash2 = MD5(form.passwd.value) + challenge; var hash; if(form.passwd.value){ hash=MD5(hash2); } else { hash=""; } And the challenge is quite long, <input type=hidden name=".challenge" value="zpUHXfMLl._2u4tfNw8fBdAKYtkM" > Thus even if you can watch the traffic both ways you can only break the password by doing some kind of brute force dictionary search. That would probably show up a few insecure passwords (if you have a largish company), but that's not really the fault of the login procedure. > My other question is if the passwords are encrypted why do they offer a secure login > option? How does that increase security, other than adding a brief ssl session. Because it encrypts your username too? Honestly I don't know. Most browsers apply stricter security to secure pages, ie they won't be cached locally etc... That could be it. The passwords coulnd't be brute forced locally either. - Blazde
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 20:49:21 PDT