| From: | "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | <pgsql-odbc(at)postgresql(dot)org> |
| Subject: | Re: odbc - ssl: how-to-do-it. |
| Date: | 2003-05-29 14:37:27 |
| Message-ID: | 03AF4E498C591348A42FC93DEA9661B83AF0DB@mail.vale-housing.co.uk |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-odbc |
> -----Original Message-----
> From: Tom Lane [mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us]
> Sent: 29 May 2003 14:57
> To: Dave Page
> Cc: Clay Luther; John K. Herreshoff; pgsql-odbc(at)postgresql(dot)org
> Subject: Re: [ODBC] odbc - ssl: how-to-do-it.
>
>
> "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> writes:
> >> Is there any way/what are the ways to secure the passwords
> >> sent by the PGODBC driver to the DB?
>
> > Use md5 passwords. It won't prevent a replay attack, but at
> least they
> > won't be plain text.
>
> Actually md5 does make a replay attack substantially harder.
> What goes over the wire is an md5 checksum of the cleartext
> password plus username plus a 4-byte salt chosen on-the-fly
> by the server. So a replay attacker would have to be lucky
> enough to be challenged with the same salt he'd seen used before.
Ahh, I thought it sent just the password checksum and compared it to the
md5 checksum in pg_shadow - thanks.
Regards, Dave.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Gamache | 2003-05-29 14:38:18 | Re: ODBC 703001 crashes IIS |
| Previous Message | Tom Lane | 2003-05-29 13:56:53 | Re: odbc - ssl: how-to-do-it. |