|
|
|
|
|
|
by zinekeller
1660 days ago
|
|
|
> If it did then the server’s password file would effectively be plaintext. Send seed and hashing parameters to the client, then client does hashing, client sends hash, server compares hashes. It's vulnerable to replay attacks, but it's the same with client sending plaintext password to server (assuming that you're not using SSH or similar). |
|
|
https://en.wikipedia.org/wiki/Zero-knowledge_password_proof
I think SRP is the most widely implemented version. https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...