Re: You're on SecurityFocus.com for the cleartext passwords.

> But what I'm proposing will let ALL clients send an encrypted password
> over the wire and we can also store them encrypted.  By comparing twice
> we can maintain backward compatibility.  The backend would compare the
> password received with the stored md5 password and compare the received
> password after md5ing it in case it was sent clear-text.

But you can do that with our current system.  Store them in pg_shadow
using unix password format.  If a cleartext password comes in, crypt it
using the pg_shadow salt and compare them.

--  Bruce Momjian                        |  http://www.op.net/~candle pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026