From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Benjamin Adida <ben(at)mit(dot)edu>, "Robert B(dot) Easter" <reaster(at)comptechnews(dot)com>, Trond Eivind Glomsrxd <teg(at)redhat(dot)com>, Vince Vielhaber <vev(at)michvhf(dot)com>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgreSQL(dot)org |
Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
Date: | 2000-05-07 03:11:35 |
Message-ID: | 200005070311.XAA27828@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
> Benjamin Adida <ben(at)mit(dot)edu> writes:
> > I think it's overkill to impose SSL for everything.
>
> Agreed, and in any case we are not going to require people to install
> SSL before they can use Postgres. It's an appropriate tool for some
> people to use depending on what their security situation is.
>
> I think we are converging on a plan that involves switching from crypt
> to MD5 as our password-hashing algorithm, so given that we are going to
> need a client upgrade anyway, we can throw in the double hashing (two
> salt) method you proposed without any extra pain. Might as well protect
> the password against sniffing if we can...
That was my logic. Pretty cheap to do it.
--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2000-05-07 03:14:52 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Bruce Momjian | 2000-05-07 03:10:47 | Re: You're on SecurityFocus.com for the cleartext passwords. |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2000-05-07 03:14:52 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Bruce Momjian | 2000-05-07 03:10:47 | Re: You're on SecurityFocus.com for the cleartext passwords. |