top | item 20427687

(no title)

zyztem | 6 years ago

Turn of millennium was era before of SSL/TLS. Livejournal did not want to send clear text password during login to the site. SRP was patent encumbered (and anyway implementing proper PAKE in JavaScript of that era was unfeasible).

So at Livejournal implemented their own challenge-handshake auth: https://www.livejournal.com/doc/server/ljp.csp.auth.challres.... Unfortunately it require storing plain-text equivalent of password on the server.

Seems to be worked fine through the years, but they used it well past "best before" date.

(SRP - http://srp.stanford.edu/, PAKE - https://en.wikipedia.org/wiki/Password-authenticated_key_agr...)

discuss

sigprof|6 years ago

And that API still works (just tested the example), which means that LiveJournal still stores MD5(password) in their database.