>If you really want to do it right, use SRP, <http://srp.stanford.edu>. > > This is a bit offtopic here. I read the RFC and I do not see why SRP is not vulnerable to dictionary attacks. If I have a working client software then I can use it to reveal passwords. Isn't it a dictionary attack? Can you please enlighten me? Les