Talk:CRAM-MD5

Computing Low‑importance

	This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
Low	This article has been rated as Low-importance on the project's importance scale.

Cryptography: Computer science Mid‑importance

	This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography articles
Mid	This article has been rated as Mid-importance on the importance scale.
	This article is supported by WikiProject Computer science (assessed as Mid-importance).

Content added[edit]

I'm not Wikipedia-savvy enough to know if the subject of this article is sufficiently notable or not, but I saw that the NTLM SASL mechanism had its own page, so I added some information to this one in the hopes that it won't be deleted. Power piglet 06:51, 20 February 2006 (UTC)[reply]

Clarification needed[edit]

This article needs clarification. I confess I don't really understand it, but I suspect it has something to do with computers. If it does, it should say so. Macguba 11:38, 31 July 2007 (UTC)[reply]

Is plain-text password storage required?[edit]

This requires the server to store the clients plain-text password, correct? Or is a md5 or des password hash used? TimRiker 19:29, 19 October 2007 (UTC)[reply]

Yes it does require plaintext passwords on the server. — Preceding unsigned comment added by 62.93.183.215 (talk • contribs) 18:51, 5 June 2008 (UTC)[reply]

Why would it require plaintext passwords on the server? Can't I simply use md5(md5(password) + challenge) (and compare it with md5(storedMd5Password + challenge) on the server) ... This should result in the same authentication... enyo (talk) —Preceding undated comment added 10:02, 11 May 2009 (UTC).[reply]

the signature algorithm is aglgorithm is md5( key2 | md5( key1 | message ) ) where key1 and key2 are computed from the password Sure you can strore the md5 internal state after swallowing key1 and after key2, and use that in verifying, but an attackier with that information can also use these md5 internal states to forge a signature, so it render the password unreadable without offering much real security. 116.90.140.41 (talk) 22:07, 26 June 2014 (UTC)[reply]