Wikipedia presents the following example of nonce-based authentication:
Client requests nonce from server.
Server responds with nonce (i.e., hereafter referred to as "server nonce").
Client uses server nonce, its own client nonce, and user-inputted password to generate a hash.
Client sends user-inputted username, client nonce, and hash to server.
Server retrieves both server nonce and user password from its database, presumably via username.
Server combines server nonce, client nonce and password to generate a hash.
Server compares hash just generated with hash sent from client.
If the hashes match, client is authenticated. If not, client is rejected.
Doesn't this imply that the server stores user passwords in plain text? In gross violation of security principles that recommend saving salted hashes of passwords rather than the actual passwords themselves?
See Question&Answers more detail:os