How To, and How Not to Hash Passwords

CS 463 Lecture, Dr. Lawlor


How not to hash passwords: LM_hash
LMhash = concat(
Still, it could be worse:
One annoying thing about bad network protocols: they're almost impossible to kill.  The problem is that *every* client needs to be upgraded before the server can stop using the old protocol (even the ancient Windows 98 machine in the back, running the plotter).


How to hash passwords well: HTTP Digest_access_authentication
   HA1 = MD5(username + realm + password); 
HA2 = MD5(method + digestURI);
response = MD5(HA1 + nonce + HA2);
Good Features:

It'd still be possible to improve this, though:

These improvements were implemented in RFC2617.