Friday, August 2, 2002 07:45 AM
If you only store the encrypted version of the password on the server, and expect the client to just send the encrypted version over the wire, and just compare the two encrypted strings on the server (transmitted encrypted password, with stored encrypted password), then essentially, you are just using the encrypted password, as a new cleartext password itself. Someone listening on the net can grab the encrypted password, and just send that next time.
Otherwise you have to go to some kind of "challenge response" authentication scheme, but then the server needs the unencrypted plaintext password, to generate each challenge. The client uses the plaintext password to generate the response to the challenge, and sends that over the wire, and the server compares the response, to what should be generated by its algorithm, from the actual cleartext password.