"Kevin Grittner" <kevin.gritt...@wicourts.gov> writes: > And, perhaps slightly off topic: if the login password is sent over a > non-encrypted stream, md5sum or not, can't someone use it to log in if > they're generating their own stream to connect?
Not if they only capture a login exchange --- the password is doubly encrypted during that. If they see the md5'd password in a CREATE USER command, then yeah, they could pass a subsequent md5 challenge, using suitably modified client software that doesn't try to re-encrypt the given password. But the main point is to hide the cleartext password, in any case. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers