| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Benjamin Adida <ben(at)mit(dot)edu> |
| Cc: | "Robert B(dot) Easter" <reaster(at)comptechnews(dot)com>, Trond Eivind Glomsrxd <teg(at)redhat(dot)com>, Vince Vielhaber <vev(at)michvhf(dot)com>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Date: | 2000-05-06 22:12:54 |
| Message-ID: | 12190.957651174@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
Benjamin Adida <ben(at)mit(dot)edu> writes:
> I think it's overkill to impose SSL for everything.
Agreed, and in any case we are not going to require people to install
SSL before they can use Postgres. It's an appropriate tool for some
people to use depending on what their security situation is.
I think we are converging on a plan that involves switching from crypt
to MD5 as our password-hashing algorithm, so given that we are going to
need a client upgrade anyway, we can throw in the double hashing (two
salt) method you proposed without any extra pain. Might as well protect
the password against sniffing if we can...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert B. Easter | 2000-05-07 02:02:04 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Previous Message | Tom Lane | 2000-05-06 22:02:07 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2000-05-06 22:21:19 | Re: ROLLBACK of DROP TABLE leaves database in inconsistent state |
| Previous Message | Tom Lane | 2000-05-06 22:02:07 | Re: You're on SecurityFocus.com for the cleartext passwords. |