Re: [pgadmin-hackers] Client-side password encryption

>>So, can I specify the password to pg_connect() as 
>>'md5127349123742342344234'?
> 
> Certainly not.  We'd hardly be worrying about obscuring the original
> password if the encrypted version were enough to get in with.

AndrewSN can't post at the moment, but asked me to post this for him:

"Knowing the md5 hash is enough to authenticate via the 'md5' method in 
pg_hba.conf, even if you don't know the original password. Admittedly 
you have to modify libpq to do this, but this isn't going to stop an 
attacker for more than 5 seconds."

I'll add my own note that never sending the cleartext password does not 
necessarily improve PostgreSQL security, but certainly stops someone who 
sniffs the password from then using that cleartext password to get into 
other applications.  If all they can get is the md5 hash, then all they 
can get into is PostgreSQL.

Chris