> And so would the postmaster ;-). The problem here is that the hashed
> username has to be sent, and there can be no hidden salt involved
> since it's the first step of the protocol. So the attacker knows
> exactly what the hashed username is, and if he can guess the username
> then he can verify it. Then he moves on to guessing/verifying the
> password. I still don't see a material gain in security here, given
> that I believe usernames are likely to be pretty easy to guess.
Just do a 'ps' and you have the username for each connection.
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026
