Re: You're on SecurityFocus.com for the cleartext passwords.

On Sat, 6 May 2000, Bruce Momjian wrote:

> > > Also, MD5 is not ideal for passwords.  Seems the standard unix-style
> > > password crypting is the standard, so it should be used to crypt our own
> > > passwords in pg_shadow.  I am sure someone would find some problem with
> > > us using md5 for password storage.
> > 
> > FreeBSD uses MD5 by default since at least ver 2.2, possibly earlier.
> >  
> > > We already use the unix-style password crypt to send passwords over the
> > > wire.  Why not use it for storage too?
> > 
> > Can ALL clients we support use it over the wire?  
> 
> Yes, I think so.  Java has its own, and the others use libpq do to it. 
> The beauty of my suggesting is that all we have to do is pass the
> pg_shadow salt along with the random salt, and call the crypt code
> twice, first with the pg_shadow salt, then with the random salt.
> 
> The server pass the pg_shadow version through the random salt crypt, and
> compares.
> 
> Now, I we want to move all the stuff to use MD5 rather than the standard
> unix password crypt, that is another option, though I am not sure what
> value it would have.
> 
> 

How about ODBC?  This is from the ODBC driver source connection.c:                                   self->errormsg =
"Passwordcrypt authentication not supported";
 

Is that because of the platform it's running on or what it's talking
to?

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from
$16.00/moat Pop4 Networking       Online Campground Directory    http://www.camping-usa.com      Online Giftshop
Superstore   http://www.cloudninegifts.com
 
==========================================================================