Re: You're on SecurityFocus.com for the cleartext passwords.

> On Sat, 6 May 2000, Bruce Momjian wrote:
>
> > > > Sounds like a winner. Comments?
> > >
> > > Overlycomplicated?
> > >
> > > What was your objection to MD5 again?
> >
> > Also, MD5 is not ideal for passwords. Seems the standard unix-style
> > password crypting is the standard, so it should be used to crypt our own
> > passwords in pg_shadow. I am sure someone would find some problem with
> > us using md5 for password storage.
>
> FreeBSD uses MD5 by default since at least ver 2.2, possibly earlier.

Oh, I didn't know that. Interesting.

>
> > We already use the unix-style password crypt to send passwords over the
> > wire. Why not use it for storage too?
>
> Can ALL clients we support use it over the wire?

That is an excellent question. Any client that can use passwords has to
do this, so yes, I think they all do. I can say for sure Java has it,
and that is usually the hardest.

--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026