On Fri, Jun 14, 2002 at 10:54:35 -0400,
murphy pope <pope_murphy@hotmail.com> wrote:
>
> But, if can peek at the server's user/password checksum (in the pg_pwd
> file), I can connect to a server, get the server's salt, and combine it
> with the stolen checksum, arriving at the checksum expected by the server.
>
> This is exactly how I would impersonate a user authenticated by 'crypt'.
>
> So, to me, it doesn't seem that 'md5' is much more secure than 'crypt'.
> The user/password hash stored in pg_pwd is essentially a plaintext
> password. What am I missing here?
I think MD5 is preferred because it provides better protection against
reversing a hash and you can use longer passwords. This helps against
some kinds of attacks.