>> There is a challenge/response compoent, so the md5 hash which is stored
>> is not what is sent across the wire. That prevents replay attacks when
>> the attacker is simply sniffing the network.
> Worth noting here is that the challenge key space is not all that huge,
> so an attacker who captures a large number of challenge/response pairs
> would have a good probability of being able to answer the next challenge
> successfully. However, if you're concerned about sniffing of your
> database connections happening on that scale, you really ought to be using
> SSL encryption which would make the whole thing moot. In many cases,
> capturing a database session would reveal lots of interesting data passing
> over the wire whether or not you'd captured a usable password --- so I'd
> call it fairly irresponsible to not be using SSL if you think your
> connection is open to sniffing.
Thank you for your responses, this is exactly what I was looking for.