Re: You're on SecurityFocus.com for the cleartext passwords.

> > Also, MD5 is not ideal for passwords.  Seems the standard unix-style
> > password crypting is the standard, so it should be used to crypt our own
> > passwords in pg_shadow.  I am sure someone would find some problem with
> > us using md5 for password storage.
> 
> FreeBSD uses MD5 by default since at least ver 2.2, possibly earlier.
>  
> > We already use the unix-style password crypt to send passwords over the
> > wire.  Why not use it for storage too?
> 
> Can ALL clients we support use it over the wire?  

Yes, I think so.  Java has its own, and the others use libpq do to it. 
The beauty of my suggesting is that all we have to do is pass the
pg_shadow salt along with the random salt, and call the crypt code
twice, first with the pg_shadow salt, then with the random salt.

The server pass the pg_shadow version through the random salt crypt, and
compares.

Now, I we want to move all the stuff to use MD5 rather than the standard
unix password crypt, that is another option, though I am not sure what
value it would have.

--  Bruce Momjian                        |  http://www.op.net/~candle pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026