How did the server get the password in first place ? Pre (Digest Authentication) registration

94 views Asked by At

In all the explanations I've read regarding Digest authentication they talk about password hash being saved already on the server.

What I'm asking about is the registration process how did that hashed password get there in first place?

Does that mean the implementation of Pre- digest authentication is open to one's imagination i.e while registration the server would generate a password and send it via email, or use an ssl connection when the user is registering only or what ? Is there some kind of standard process which comes with Digest authentication that I missed ?

Note: I'm not implementing I'm only studying; I know Digest authentication has weaknesses and there are better ways, I just wanted to have full image of the whole process.

Note 2: I notice someone voting to close the question "it's not programming question", I believe there is tiny misconception when I said I'm not implementing I mean in note 1 I mean not implementing in real production project, but I want to understand the concept of Digest authentication is implemented and my question is still as it clear and simple "how did the password got in the server in the first place".

1

There are 1 answers

3
1234varun On

Password of user is stored at server not the hasg. Each time a user wants to authenticate server creates a random variable(to prevent replay attack) and sends it to user . User uses the nonce and other details like url and realm to create a hash. Server does the same on its side and if these two hash match user is authenticated.

All this is done to prevent sending password in plaintext. sometime encrypted connection(ssl) is not available so instead of sending username password hashing is used. yes you are right password has to be shared out of the band say over phone or some other encrypted connection.