Re: md5 again

> And so would the postmaster ;-).  The problem here is that the hashed
> username has to be sent, and there can be no hidden salt involved
> since it's the first step of the protocol.  So the attacker knows
> exactly what the hashed username is, and if he can guess the username
> then he can verify it.  Then he moves on to guessing/verifying the
> password.  I still don't see a material gain in security here, given
> that I believe usernames are likely to be pretty easy to guess.

Just do a 'ps' and you have the username for each connection.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026