On Sun, 7 May 2000, Tom Lane wrote:
> Vince Vielhaber <vev@michvhf.com> writes:
> > It could add a level of security. The client knows the username. If
> > the client were to only send LOGIN or something like that to the server
> > without sending the username and the server only replied with the random
> > salt, the client would know that the username was the fixed salt and could
> > use that with random salt received from the server. So it's really a
> > hidden salt.
>
> Hidden from whom? The client *must* send the username to the server,
> so a sniffer who is able to see both sides of the conversation will
> still have all the same pieces. If the sniffer only sees one side of
> the conversation, he's still in trouble: he'll get the random salt, or
> the hashed password, but not both. So I still don't see what the
> username is adding to the process that will make up for rendering it
> much more difficult to rename users.
My intent was not to send the username, but let the server figure it
out by the response.
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from
$16.00/moat Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop
Superstore http://www.cloudninegifts.com
==========================================================================
