[Bruce Momjian]
| store the password in pg_shadow like a unix-style password with salt
| pass the random salt and the salt from pg_shadow to the client
| client crypts the password twice through the routine:
| once using the pg_shadow salt
| another time using the random salt
That's close to what I thought of a couple of days ago too, except I
would have used MD5, since I already have that implemented. :) (It
seems you already have crypt, so you wouldn't need MD5.)
Does anyone here really _know_ (and I mean KNOW)
security/cryptography? If so, could you please comment on this
scheme? And while you're at it, whats better of MD5 and Unix crypt
(triple DES ++, isn't it?) from a security perspective?
Sverre.
--
<URL:mailto:sverrehu@online.no>
<URL:http://home.sol.no/~sverrehu/> Echelon bait: semtex, bin Laden,
plutonium,North Korea, nuclear bomb