Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

>
> On Thu, 19 Feb 1998, Bruce Momjian wrote:
>
> > >
> > >
> > > Have we considering using the unix crypt function for passwords?  That
> > > way it wouldn't matter (as much) if people saw the password, and would
> > > still be (somewhat less) secure.
> > >
> > > On Thu, 19 February 1998, at 15:55:07, Jan Wieck wrote:
> >
> > I don't know what the problem with using crypt was.  It may be because
> > he passes a random salt to the user, and the user makes the password
> > packet with the given salt and returns it to the backend.  If we use
> > crypt, we have to send a plaintext password over the network, don't we?
>
>     But, aren't we doing that now?

Yes, we are using crypt.  We are picking a random salt, using crypt to
encrypt the cleartext password, then sending the salt to the frontend,
and asking them to supply a password crypted with our requested salt.

Anyway to do this while storing encrypted passwords?

--
Bruce Momjian
maillist@candle.pha.pa.us