|
|
|
|
|
|
by k3d3
3909 days ago
|
|
|
The problem with hashes of hashes is now instead of the password being directly grabbed, the hash is directly grabbed, which can be thrown through the challenge-response system with no problem. This only mitigates knowing the password itself, not anything to do with authentication. |
|
|
But now you have to grab the hash first from one of the endpoints, MITMing the connection no longer suffices to impersonate the user.
I suppose public key schemes would be preferable, but deploying those isn't feasible for a lot of use cases.