•Digest authentication offers no real protection againstpoorly chosen passwords
–grabbing the nonce/response pair(s), eavesdropper canquickly run through a dictionary of common passwordstrying to recreate the response
•Dictionary = {root,$user,$user$user,reverse($user),Spock,Whorf,Gandalf,eagle,mustang,password,mypassword,123,asdf,fluffy,fido,…}
•Make dictionary attacks harder with salt.
# user format = name:realm:md5(name:realm:password)
mklein:Colonial Place:53bbb5135e0f39c1eb54804a66a95f08
# user format = name:realm:md5(name:realm:password:salt):salt
mklein:Colonial Place:e65c90343b763abb9e442dd03ae79aac:12