Greg Stark wrote: > Stephen Frost <[EMAIL PROTECTED]> writes: > > > With the 'md5' method the server will send will send a randomly > > generated salt to the client which will then concatenate the user's name > > to the password, perform an md5 on that result, then concatenate the > > result of the md5 to the salt provided by the server and will then md5 > > that. > > I think that in this case calling it a salt altogether is wrong. It's a > "challenge". > > And I'm inclined to suggest that this authentication method be removed > altogether. The security flaw is that it exists at all. Not the details of the > implementation.
That idea is so detached from reality, I don't know how to respond. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org