Re: [PATCHES] Re: [HACKERS] User authentication bug?

Michael Graff <explorer@flame.org>

From: Michael Graff <explorer@flame.org>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: M.Boekhold@ET.TUDelft.NL, pgsql-hackers@postgreSQL.org, pgsql-interfaces@postgreSQL.org, pgsql-patches@postgreSQL.org
Date: 1998-08-02T19:54:57Z
Lists: pgsql-hackers
Tom Lane <tgl@sss.pgh.pa.us> writes:

> With the attached patch, I have verified that long (> 8char anyway)
> usernames and passwords work correctly in both "password" and "crypt"
> authorization mode.  NOTE: at least on my machine, it seems that the
> crypt() routines ignore the part of the password beyond 8 characters,
> so there's no security gain from longer passwords in crypt auth mode.
> But they don't fail.

Which is why postgres should use MD5, salted with the username, as a
password one-way hash.  :)

--Michael