On Wed, 9 Nov 2005 10:53:29 -0500, Syscrusher <scott@4th.com> wrote :
This nonce or one-time-pad technique is very common in authentication schemes. It won't stop a playback or man-in-the-middle attack, but it *does* keep the actual MD5 of the password from being exposed. The only cleartext sent is the nonce, and the only MD5 sent is one that included the nonce in its creation.
This doesn't even begin to address spyware/keyloggers. The the only solution is ssl/tls since you are still sending the data in clear text over an unsecured network. But even in that case a locally installed keylogger will get your passwords no matter what. My previous email message about keeping track of where the user is logged in from, by IP or ISP assigned IP block, would be a much better solution if you don't have or can't use ssl/tls. Kind of like smtp-auth for the web. Pat