Tycho Fruru wrote:
> > 7.3 stores encrypted MD5 passowords in database (7.2 it is optional).
> > We send random salt to client and client double-MD5 encrypts, so
> > playback will not work --- best of both worlds.
>
> So, if I understand it correctly :
>
> - on the wire : no cleartext passwords, only doubly hashed + salted
> passwords -> no replay possible (watch out for session hijacking though)
> nor password sniffing
>
Right.
> - in the database : no cleartext passwords are stored, but access to the
> md5 hashed passwords is sufficient to get access to the database -
> without really knowing the user's password - by using a modified client.
Right.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073