Here’s a simplified explanation of how it works:
- The web server serves up a form with a hidden field containing a random “challenge” string, and optionally a timestamp for when the form was served.
- The user enters their password and submits the form.
- The server knows the user’s password and the challenge that was sent, so it hashes them and compares the result with the data sent by the user.
If your web application stores encrypted passwords (as a well behaved application should) this technique can still be used – you just have to MD5 the password twice on the client side, once to get the encrypted version and then once with the encrypted version appended to the challenge to get the response which should be sent to the web server.