On Tue, 11 Jul 2000, Bruce Momjian wrote:
> > And so would the postmaster ;-). The problem here is that the hashed
> > username has to be sent, and there can be no hidden salt involved
> > since it's the first step of the protocol. So the attacker knows
> > exactly what the hashed username is, and if he can guess the username
> > then he can verify it. Then he moves on to guessing/verifying the
> > password. I still don't see a material gain in security here, given
> > that I believe usernames are likely to be pretty easy to guess.
>
> Just do a 'ps' and you have the username for each connection.
True, but I was more concerned with remote sniffing.
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from
$16.00/moat Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop
Superstore http://www.cloudninegifts.com
==========================================================================