Re: [HACKERS] Changing references of password encryption to hashing

On Tue, Nov 28, 2023 at 12:24 PM Stephen Frost <sfrost@snowman.net> wrote:
> I don’t know what they’re doing now, as you don’t say, and so I really couldn’t say if ldap is better or worse for
them.In some cases, sure, perhaps ldap is better than … something else, 

That's EXACTLY right. You can't say whether LDAP is better or worse in
every scenario. And therefore you should not be proposing to remove
it.

>> I think that is, to borrow a phrase from Tom, arrant nonsense. Sure,
>> MD5 authentication has a pass-the-hash vulnerability, and that sucks.
>
> So, given that we all agree with the CVE-worthy issue that exists with every release where we include md5 auth, we
shouldbe applying for q CVE prior to each release, no? 

You know, I said in my previous email that you were so sure that you
were right that there was no point in trying to have a serious
discussion, and I can't really see how you could have proved that
point more thoroughly than you did here. You twisted my words around
to make it seem like I was agreeing with your point when you know full
well that I was doing the exact opposite of that.

Please don't do that.

--
Robert Haas
EDB: http://www.enterprisedb.com