HTTP Digest Authentication: Does the server store plaintext passwords?
It depends on the implementation. Digest authentication is just an authentication mechanism for communicating the credentials. The server will likely receive the plaintext password when the password is initially set, but can choose what it wants to do with it based on implementation. It could store it reversibly encrypted (effectively plain-text) and compare to the hash calculated on both sides (insecure), or it could hash the hash of the input from the user and verify it matches a stored hash that is similarly hashed with the nonce depending on how the server is storing the password.
For a windows server, it will depend on if the domain controller that is backing it has reversible passwords turned on or not.
Please read Wikipedia article on Digest access authentication. According to it, the server must either:
- store cleartext password,
- store password encrypted using reversible encryption,
- store digested value of the username, realm, and password.