Re: You're on SecurityFocus.com for the cleartext passwords.

> Benjamin Adida <ben@mit.edu> writes:
> > I think it's overkill to impose SSL for everything.
> 
> Agreed, and in any case we are not going to require people to install
> SSL before they can use Postgres.  It's an appropriate tool for some
> people to use depending on what their security situation is.
> 
> I think we are converging on a plan that involves switching from crypt
> to MD5 as our password-hashing algorithm, so given that we are going to
> need a client upgrade anyway, we can throw in the double hashing (two
> salt) method you proposed without any extra pain.  Might as well protect
> the password against sniffing if we can...

That was my logic.  Pretty cheap to do it.

--  Bruce Momjian                        |  http://www.op.net/~candle pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026