# Table of contents:

• Introduction
• Procedure
  • Beta 2 specific information

# Introduction

MD5 is a authentication scheme available in MSNP2 to MSNP7.

As the name implies, the password is hashed with MD5 with a server-provided salt.

The main problem with the MD5 scheme is due to the exact method used to send the hashed password, it necessitates that the server stores user passwords in plain text (without hashing) to verify them, which is very insecure by today's standards.

For this reason, server implementations that intend to implement these protocol versions may want to use separate, generated app passwords for authentication instead.

It is technically possible to mitigate the above issue by using a single, hardcoded salt for each user (or even using the same hash for everyone) and storing it hashed with MD5.

However, doing such makes authentication vulnerable to replay attacks.
In addition, MD5 is a very weak hashing algorithm and cost-effective to solve in the modern day.

# Procedure

The client sends the initial USR request, and the server supplies a salt:

C: USR TrID MD5 I user-handle
S: USR TrID MD5 S salt

Where user-handle is the handle (e-mail address) the client is authenticating with.

Where salt is an arbitrary salt.

The client then completes the authentication flow by prepending the salt to the password, hashing it with MD5, and sending the result to the server:

C: USR TrID MD5 S hashed-password
S: USR TrID OK (...)

Where hashed-password is the user's password, hashed as described above (md5Hash(salt + password)).

# Beta 2 specific information

NOTE: This only happens in Beta 2 clients.
Client Versions 1.0.0863 and above use the standard procedure.

The client sends the initial USR request, and the server supplies a salt, and then the client sends the authentication information and gets an OK response:

C: USR TrID MD5 I
S: USR TrID MD5 S salt
C: USR TrID MD5 S user-handle hashed-password
S: USR TrID OK (...)