Tom Lane <tgl@sss.pgh.pa.us> writes:
> With the attached patch, I have verified that long (> 8char anyway)
> usernames and passwords work correctly in both "password" and "crypt"
> authorization mode. NOTE: at least on my machine, it seems that the
> crypt() routines ignore the part of the password beyond 8 characters,
> so there's no security gain from longer passwords in crypt auth mode.
> But they don't fail.
Which is why postgres should use MD5, salted with the username, as a
password one-way hash. :)
--Michael