> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > OK, patch attached. Pretty nifty. Try MD5 first, and if it fails, try
> > crypt.
>
> What???
>
> Where did *that* idea come from? If I'm using the new auth method
> because I don't think the old one is secure, I sure as heck don't want
> an old (or deliberately-broken) client to cause a fallback to a less
> secure method.
Just a reminder. What I think it insecure is the size of our salt.
With only 3300 possible salts, it doesn't take long to playback a
duplicate. That is true of MD5 and crypt.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026