On Tue, Apr 27, 2004 at 09:37:50AM +0200, Fabien COELHO wrote:
> Even of the salt is based on the login, the point is that it is stored
> separatly, so the system does not rely on the login string to check the
> password.
>
> The only other scheme which requires the user password somehow is the HTTP
> digest authentification, and AFAIK no one in the world uses it;-)
I think (some of the) SASL authentication mechanisms also use a digest
of the user and password, if that's what you meant. But the username
and password have to be stored separately on the server anyway, just
like HTTP digest -- they are means of hiding it on the wire, not on
disk.
--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"El miedo atento y previsor es la madre de la seguridad" (E. Burke)