This seems to have shown two problems. First is using the constant
username 'postgres' for postgres login salt, but if we use something
variable we would have to pass that constant on the wire so everyone
will see it. We can't encrypt the random salt with the password because
the server doesn't
I'm sorry to bring this up again. From the archives I found that the
current md5 authentication scheme of postgres was designed in 2001. I
found a debate about it's security from 2002.
http://archives.postgresql.org/pgsql-hackers/2001-06/msg00511.php
Richard van den Berg [EMAIL PROTECTED] writes:
My problem is this: we have ODBC users working from home, so they cannot use
SSL unless we buy the commercial drivers. We decided that encrypting the data
is not required, but we do need to strictly protect access to our database.
You could