LOGBOOK

HELP

Quiz Entry - updated: 2026.06.01

How does a basic password-based login protocol work, and what does the server actually store?

Setup: client sends password once, server stores its hash. Login: client sends password, server hashes and compares with the stored hash.

The two phases:

Setup phase (one-time):

  • Alice sends her password to Bob's server over a secure channel.
  • Bob computes Hash(password) and stores only the hash — never the plaintext password.

Login phase (every session):

  • Alice sends "I'm Alice, <password>".
  • Bob computes Hash(password) on the received value.
  • Bob compares with the stored hash — if equal, login succeeds (ok); otherwise it fails (not ok).

Why hash, not the password itself:

  • If Bob's database is leaked, the attacker has hashes, not passwords. They still need to brute-force each one.
  • Modern practice: use a slow salted hash function (bcrypt, scrypt, Argon2) — the slowness makes brute-forcing each password expensive.

Weak spot: the password still travels to the server in plaintext during login. This is why TLS is non-negotiable: it protects the channel. Challenge-response protocols (next cards) eliminate even this exposure.

From Quiz: ISF / Access Control | Updated: Jun 01, 2026