Talk:CRAM-MD5

Content added
I'm not Wikipedia-savvy enough to know if the subject of this article is sufficiently notable or not, but I saw that the NTLM SASL mechanism had its own page, so I added some information to this one in the hopes that it won't be deleted. Power piglet 06:51, 20 February 2006 (UTC)

Clarification needed
This article needs clarification. I confess I don't really understand it, but I suspect it has something to do with computers. If it does, it should say so. Macguba 11:38, 31 July 2007 (UTC)

Is plain-text password storage required?
This requires the server to store the clients plain-text password, correct? Or is a md5 or des password hash used? TimRiker 19:29, 19 October 2007 (UTC)
 * Yes it does require plaintext passwords on the server. — Preceding unsigned comment added by 62.93.183.215 (talk • contribs) 18:51, 5 June 2008 (UTC)
 * Why would it require plaintext passwords on the server? Can't I simply use md5(md5(password) + challenge) (and compare it with md5(storedMd5Password + challenge) on the server) ... This should result in the same authentication... enyo (talk) —Preceding undated comment added 10:02, 11 May 2009 (UTC).
 * the signature algorithm is aglgorithm is   md5( key2 | md5( key1 | message ) )    where key1 and key2 are computed from the password Sure you can strore the md5 internal state after swallowing key1 and after key2, and use that in verifying, but an attackier with that information can also use these md5 internal states to forge a signature, so it render the password unreadable without offering much real security. 116.90.140.41 (talk) 22:07, 26 June 2014 (UTC)