On Thu, 2004-08-19 at 08:30, Daniel Martini wrote:
> Hello list,
>
> Citing Alvaro Herrera <alvherre@dcc.uchile.cl>:
> > The problem here is that the password can't be stored one-way-hash
> > digested, because the cleartext version is needed to be sent to the
> > server.
>
> Actually why this is so has been a question for me for some time now, too.
> Did just nobody have the time / idea to implement support for sending
> hashed passwords to the server, or are there serious difficulties involved
> with this, and I don't see them?
As far as I am aware, crypt and md5 passwords are not sent in cleartext
form. password passwords (?!) are sent clear, but their use is
deprecated.
I think the password can't be stored hash-digested because it has to be
encrypted with a salt established at runtime. If you could just send
the same hash-digested password over and over, it would be no more
secure than a plaintext one.
Oliver Elphick
