in reply to Re: Re: Re: Re: Ecrypting passwords
in thread Ecrypting passwords
Good description of Digest encrytption from what I remember about it. I'd just like to add a slight addition though..
If I remember correctly from what I read in Applied Cryptography (My copy is currently on loan, alas) if required a nonce can be strengthened by adding an accurate timestamp, request counter, or other non-repeating series.
By using Digest::MD5::md5_hex("$user:$realm:$password:$series_id") as the nonce, and keeping track of 'used' nonces and rejecting them it stops the man-in-the-middle even being able to use replay attacks to see those pages that just flew past them.
After all, would you really want someone to replay your entire session for shutting down your database server when they so choose?