From: | "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> |
---|---|
To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | <pgsql-odbc(at)postgresql(dot)org> |
Subject: | Re: odbc - ssl: how-to-do-it. |
Date: | 2003-05-29 14:37:27 |
Message-ID: | 03AF4E498C591348A42FC93DEA9661B83AF0DB@mail.vale-housing.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-odbc |
> -----Original Message-----
> From: Tom Lane [mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us]
> Sent: 29 May 2003 14:57
> To: Dave Page
> Cc: Clay Luther; John K. Herreshoff; pgsql-odbc(at)postgresql(dot)org
> Subject: Re: [ODBC] odbc - ssl: how-to-do-it.
>
>
> "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> writes:
> >> Is there any way/what are the ways to secure the passwords
> >> sent by the PGODBC driver to the DB?
>
> > Use md5 passwords. It won't prevent a replay attack, but at
> least they
> > won't be plain text.
>
> Actually md5 does make a replay attack substantially harder.
> What goes over the wire is an md5 checksum of the cleartext
> password plus username plus a 4-byte salt chosen on-the-fly
> by the server. So a replay attacker would have to be lucky
> enough to be challenged with the same salt he'd seen used before.
Ahh, I thought it sent just the password checksum and compared it to the
md5 checksum in pg_shadow - thanks.
Regards, Dave.
From | Date | Subject | |
---|---|---|---|
Next Message | Chris Gamache | 2003-05-29 14:38:18 | Re: ODBC 703001 crashes IIS |
Previous Message | Tom Lane | 2003-05-29 13:56:53 | Re: odbc - ssl: how-to-do-it. |