On Thu, Apr 21, 2005 at 12:13:50AM -0400, Tom Lane wrote: > It's worth pointing out also that adding a per-user-entry random salt > to the password protocol is not some kind of penalty-free magic bullet. > In particular it implies information leakage: I can tell from the > password challenge (or lack of one) whether the username I have offered > is valid. So rather than claiming "this is unconditionally a good thing > to do", you must actually provide a credible scenario that makes the > threat you are defending against more dangerous than the sorts of new > threats we'll be exposed to. So far I haven't seen a very credible > threat here.
I would think it wouldn't be hard to change the protocol/code so that the response from providing an invalid user is the same as providing a valid one. -- Jim C. Nasby, Database Consultant [EMAIL PROTECTED] Give your computer some brain candy! www.distributed.net Team #1828 Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
