Re: [PATCHES] Re: [HACKERS] User authentication bug?
Michael Graff <explorer@flame.org>
From: Michael Graff <explorer@flame.org>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: M.Boekhold@ET.TUDelft.NL, pgsql-hackers@postgreSQL.org, pgsql-interfaces@postgreSQL.org, pgsql-patches@postgreSQL.org
Date: 1998-08-02T19:54:57Z
Lists: pgsql-hackers
Tom Lane <tgl@sss.pgh.pa.us> writes: > With the attached patch, I have verified that long (> 8char anyway) > usernames and passwords work correctly in both "password" and "crypt" > authorization mode. NOTE: at least on my machine, it seems that the > crypt() routines ignore the part of the password beyond 8 characters, > so there's no security gain from longer passwords in crypt auth mode. > But they don't fail. Which is why postgres should use MD5, salted with the username, as a password one-way hash. :) --Michael