Two-way password encryption without ssl

Question

I am using the basic-auth twitter API (no longer available) to integrate twitter with my blog\'s commenting system. The problem with this and many other web APIs out there

Answer 1

I've implemented a different approach

1. Server: user name and password-hash stored in the database
2. Server: send a challenge with the form to request the password, store it in the session with a timestamp and the client's IP address
3. Client: hash the password, concat challenge|username|passwordhash, hash it again and post it to the server
4. Server: verify timestamp, IP, do the same concatenation/hashing and compare it

This applies to a password transmission. Using it for data means using the final hash as the encryption key for the plain text and generating a random initialization vector transmitted with the cipher text to the server.

Any comments on this?