Re: Encryption Question

shimmyshack wrote:

I am not sure that one way hashing is able to secure a
password change, obviously just because I cannot see
your point doesnt mean you are wrong, but if you can
clarify how it is possible to send a hashed password
which the server doesnt already know and store /that/
hash in a way that cannot be replayed I'd be interested.
It would certainly save some time for me, because I would
not surrent use such a scheme to send a change ;)

One-way encryption from client on beforehand is secure to change the
password on one Conditio, which is that the user must know the
previous (encrypted) password.

E.g. if one posts the following to newpass.php:
oldEncPW=gH4tGhKLNx
newEncPW=yHjke4c5Wu

Then compare the old (stored) string to the sent 'gH4tGhKLNx'. If it
matches, replace it by 'yHjke4c5Wu'. No encryption needed at server
side, and safe if it goes over HTTPS.

(One common alternative that comes to mind is to use a cookie where
the old password is stored, so the user doesn't need to retype it when
he requests to change it.)

--
Bart

.