Re: md5 again

On Tue, 11 Jul 2000, Bruce Momjian wrote:

> > And so would the postmaster ;-).  The problem here is that the hashed
> > username has to be sent, and there can be no hidden salt involved
> > since it's the first step of the protocol.  So the attacker knows
> > exactly what the hashed username is, and if he can guess the username
> > then he can verify it.  Then he moves on to guessing/verifying the
> > password.  I still don't see a material gain in security here, given
> > that I believe usernames are likely to be pretty easy to guess.
> 
> Just do a 'ps' and you have the username for each connection.

True, but I was more concerned with remote sniffing.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from
$16.00/moat Pop4 Networking       Online Campground Directory    http://www.camping-usa.com      Online Giftshop
Superstore   http://www.cloudninegifts.com
 
==========================================================================