Re: So we're in agreement....

On Sun, 7 May 2000, Tom Lane wrote:

> Vince Vielhaber <vev@michvhf.com> writes:
> > It could add a level of security.  The client knows the username.  If
> > the client were to only send LOGIN or something like that to the server
> > without sending the username and the server only replied with the random
> > salt, the client would know that the username was the fixed salt and could
> > use that with random salt received from the server.  So it's really a
> > hidden salt.
> 
> Hidden from whom?  The client *must* send the username to the server,
> so a sniffer who is able to see both sides of the conversation will
> still have all the same pieces.  If the sniffer only sees one side of
> the conversation, he's still in trouble: he'll get the random salt, or
> the hashed password, but not both.  So I still don't see what the
> username is adding to the process that will make up for rendering it
> much more difficult to rename users.

My intent was not to send the username, but let the server figure it 
out by the response.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from
$16.00/moat Pop4 Networking       Online Campground Directory    http://www.camping-usa.com      Online Giftshop
Superstore   http://www.cloudninegifts.com
 
==========================================================================