Send password over TCP connection
Laszlo Zsolt Nagy
gandalf at designaproduct.biz
Tue Oct 11 10:54:19 EDT 2005
>If you're saying that people have no choice but to trust that their
>passwords, stored in the clear on the server of some idiot who didn't
>know better, are safe from casual administrator observation and safe
>from hackers stealing the password file, then you shouldn't be allowed
>anywhere near a supposedly secure system...
>
>
Of course I would not say this. :-)
>If you're just saying that one has to trust that the server you are
>talking to at this instant in time is really the one you thought it was,
>then that's an entirely different issue and I agree.
>
>
Not just this.
"one has to trust that the server you are talking to at this instant in
time is really the one you thought it was" - this is just authentication.
I'm saying that even if the authentication is secure and the server is
really the one that you wanted to talk with, the server can still be
vulnerable to other kinds of attacks. Since users are storing data on
the server, they need to trust in its security. Storing the clear
passwords is not a good idea, I agree. But having a secure
authentication method and not storing clear passwords doesn't
automatically mean that the server is secured. :-)
I'm sorry, I was not clear. I think we were talking about the same thing.
Les
More information about the Python-list
mailing list