Re: So we're in agreement....

On Sun, 7 May 2000, Tom Lane wrote:

> Vince Vielhaber <vev(at)michvhf(dot)com> writes:
> > It could add a level of security. The client knows the username. If
> > the client were to only send LOGIN or something like that to the server
> > without sending the username and the server only replied with the random
> > salt, the client would know that the username was the fixed salt and could
> > use that with random salt received from the server. So it's really a
> > hidden salt.
>
> Hidden from whom? The client *must* send the username to the server,
> so a sniffer who is able to see both sides of the conversation will
> still have all the same pieces. If the sniffer only sees one side of
> the conversation, he's still in trouble: he'll get the random salt, or
> the hashed password, but not both. So I still don't see what the
> username is adding to the process that will make up for rendering it
> much more difficult to rename users.

My intent was not to send the username, but let the server figure it
out by the response.

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================