Re: PostgreSQL cleartext passwords

Lincoln Yeoh <lylyeoh@mecomb.com> writes:
> At 05:38 PM 18-05-2000 -0400, Tom Lane wrote:
>> Not so!  "crypt" authentication provides for sending passwords in
>> crypted form during login (which is good if you're afraid of password-
>> sniffers, but then maybe you should be using SSL to protect your whole
>> session, not only the password).  But it doesn't change the contents
>> of pg_shadow.

> But if someone sniffs the crypted form, won't they be able to reuse it?

Not unless they're lucky enough to be challenged with the same random
"salt" value that was used in the login transaction they sniffed.

I don't particularly care to rehash the *very* long discussion we just
went through on the hackers list.  Suffice it to say that the current
method is not a waste of time, but it could be made better.  See the
archives (if Marc ever gets them working again :-() for details.

            regards, tom lane