Re: You're on SecurityFocus.com for the cleartext passwords.

[Bruce Momjian]

|       store the password in pg_shadow like a unix-style password with salt
|       pass the random salt and the salt from pg_shadow to the client
|       client crypts the password twice through the routine:
|           once using the pg_shadow salt
|           another time using the random salt

That's close to what I thought of a couple of days ago too, except I
would have used MD5, since I already have that implemented. :) (It
seems you already have crypt, so you wouldn't need MD5.)

Does anyone here really _know_ (and I mean KNOW)
security/cryptography?  If so, could you please comment on this
scheme?  And while you're at it, whats better of MD5 and Unix crypt
(triple DES ++, isn't it?) from a security perspective?


Sverre.

-- 
<URL:mailto:sverrehu@online.no>
<URL:http://home.sol.no/~sverrehu/>          Echelon bait: semtex, bin Laden,
plutonium,North Korea, nuclear bomb