"Kevin Grittner" <Kevin.Grittner@wicourts.gov> writes:
> And, perhaps slightly off topic: if the login password is sent over a
> non-encrypted stream, md5sum or not, can't someone use it to log in if
> they're generating their own stream to connect?
Not if they only capture a login exchange --- the password is doubly
encrypted during that. If they see the md5'd password in a CREATE USER
command, then yeah, they could pass a subsequent md5 challenge, using
suitably modified client software that doesn't try to re-encrypt the
given password.
But the main point is to hide the cleartext password, in any case.
regards, tom lane