> > > By knowing what PG will do with the username and random salt, sniffing
> > > the wire can make guessing the password trivial. If the username was
> > > never sent over the wire in the clear the unhashed username is an unknown
> > > salt to he who is sniffing. But it's true that it would introduce a
> > > slower than necessary login.
> > >
> >
> > Does it? I thought it was the password being run through MD5 that made
> > it secure.
>
> Simple dictionary passwords. Run them thru a script and compare the
> output.
I see. In the past, they couldn't see the password salt. Now they can
see both salts, both random and password. Seems they can't use a
dictionary for the random salt to figure out the MD5 version of the
password, can they, because they have to crack that before doing the
password part. We are are really double-encrypting it, like
tripple-DES.
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026