Re: You're on SecurityFocus.com for the cleartext passwords.

"Robert B. Easter" <reaster(at)comptechnews(dot)com> writes:
> http://www.php.net/manual/function.crypt.php
> It explains that many systems have updated crypt() to use MD5 and how to
> check what hash algorithm your system's crypt() actually uses.

Oh, that's interesting. If that's correct, we *already* have a cross-
platform compatibility problem: a client compiled on a machine with
DES-derived crypt() will be unable to authenticate itself under "crypt"
protocol to a server using MD5-based crypt(), or vice versa, because the
wrong hashed password will be sent. Can someone with access to two such
machines check this?

If that's true, it seriously weakens the backwards-compatibility
argument for sticking with crypt(), IMHO. Old clients on another
platform may already fail to talk to your server...

regards, tom lane