From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Tycho Fruru <tycho(at)fruru(dot)com> |
Cc: | Scott Lamb <slamb(at)slamb(dot)org>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: Postgresql -- initial impressions and comments |
Date: | 2002-12-03 23:37:07 |
Message-ID: | 200212032337.gB3Nb7r02341@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Tycho Fruru wrote:
> > 7.3 stores encrypted MD5 passowords in database (7.2 it is optional).
> > We send random salt to client and client double-MD5 encrypts, so
> > playback will not work --- best of both worlds.
>
> So, if I understand it correctly :
>
> - on the wire : no cleartext passwords, only doubly hashed + salted
> passwords -> no replay possible (watch out for session hijacking though)
> nor password sniffing
>
Right.
> - in the database : no cleartext passwords are stored, but access to the
> md5 hashed passwords is sufficient to get access to the database -
> without really knowing the user's password - by using a modified client.
Right.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Carmack | 2002-12-03 23:57:18 | createdb -D and absolute paths |
Previous Message | Tycho Fruru | 2002-12-03 23:34:30 | Re: Postgresql -- initial impressions and comments |