What about a public/private key mechanism, like ssh?
On Thu, 19 February 1998, at 15:25:56, ocie@paracel.com wrote:
> Standard salt is two characters, so an adversary might be able to
> watch and record which salts produced which replies. Even with a
> single login, a brute force attack might still be able to get the
> user's password. A stronger challenge-response system might be more
> secure. It should be possible for the server to authenticate a user
> without having to store the user's password.
>
> Then again, this is all starting to sound like Kerberos, so if
> Postgres had Kerberos authentication (which I think it does), then
> this could be used for the ultra-high security authentication system.
>
> Ocie Mitchell