| From: | "Gene Sokolov" <hook(at)aktrad(dot)ru> |
|---|---|
| To: | "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov> |
| Cc: | <pgsql-hackers(at)postgreSQL(dot)org> |
| Subject: | Re: Password thread (was: Re: [HACKERS] Updated TODO list) |
| Date: | 1999-07-16 08:10:36 |
| Message-ID: | 011301becf62$af711140$0d8cdac3@aktrad.ru |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
From: Henry B. Hotz <hotz(at)jpl(dot)nasa(dot)gov>
> >Agreed: over the wire is _very_ important. The question remains: does the
>
> >But above all: do not store passwords in cleartext. It makes it
> >ridiculously easy for an attacker to take over user accounts. Let's say
>
> There is a fundamental conflict here: If you want to encyrpt the stored
> passwords then they have to go over the wire in the clear. If you want
the
I have repeated it several times already: there is NO conflict. The conflict
is due to the present security scheme only. It's purely technical, nothing
more.
Yes, in any security scheme (short of full blown RSA) you still have to
store something at the server which can be used to gain access to the
database if stolen. But that does not have to be the cleartext password
itself.
Gene Sokolov.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gene Sokolov | 1999-07-16 08:18:36 | Re: Security WAS RE: [HACKERS] Updated TODO list |
| Previous Message | Ansley, Michael | 1999-07-16 07:44:50 | Security WAS RE: [HACKERS] Updated TODO list |