| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | "Robert B(dot) Easter" <reaster(at)comptechnews(dot)com> |
| Cc: | Benjamin Adida <ben(at)mit(dot)edu>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Date: | 2000-05-07 04:17:28 |
| Message-ID: | 200005070417.AAA03040@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
> I see. This protects the hash, which is an effective password, from being
> gotten by sniffers. But a cracker who has stolen the hashes out of Postgres can
> still get in no matter what until you change the passwords.
>
> I guess hashed password authentication is really not designed for use over an
> untrusted connection. You get the hash becomes effective password problem.
> Its very important that the hashed passwords stored in Postgres cannot be read
> by anyone except the Postgres superuser.
>
> I'm I getting this right?
Good point. Though they can't see the original password, they can have
a pgsql client use it to connect to the database.
Anyone have a fix for that one?
--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vince Vielhaber | 2000-05-07 04:18:08 | Re: So we're in agreement.... |
| Previous Message | Tom Lane | 2000-05-07 04:10:02 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vince Vielhaber | 2000-05-07 04:18:08 | Re: So we're in agreement.... |
| Previous Message | Tom Lane | 2000-05-07 04:10:02 | Re: You're on SecurityFocus.com for the cleartext passwords. |