Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

What about a public/private key mechanism, like ssh?

On Thu, 19 February 1998, at 15:25:56, ocie@paracel.com wrote:

> Standard salt is two characters, so an adversary might be able to
> watch and record which salts produced which replies.  Even with a
> single login, a brute force attack might still be able to get the
> user's password.  A stronger challenge-response system might be more
> secure.  It should be possible for the server to authenticate a user
> without having to store the user's password.
>
> Then again, this is all starting to sound like Kerberos, so if
> Postgres had Kerberos authentication (which I think it does), then
> this could be used for the ultra-high security authentication system.
>
> Ocie Mitchell