| From: | Jorge Godoy <jgodoy(at)gmail(dot)com> |
|---|---|
| To: | paul rivers <rivers(dot)paul(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Connect to postgres from a dynamic IP |
| Date: | 2008-03-04 02:41:50 |
| Message-ID: | 200803032341.51308.jgodoy@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Em Monday 03 March 2008 13:17:03 você escreveu:
>
> My understanding is no password is sent in the clear with md5 per:
>
> http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW
>ORD
But the MD5 hash is. This page states that the password can't be directly
sniffed, but one can still get the hash of the password and perform a
dictionary attack against it on a local copy (i.e., without ever trying to
connect to the server).
After a successful attack then one can connect directly to the server as if
the password was known to him/her.
Crypting the channell -- be it with SSL or SSH, for example -- will prevent
the sniffer from being able to capture the hash, so your password will be
safer.
--
Jorge Godoy <jgodoy(at)gmail(dot)com>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | brian | 2008-03-04 03:15:11 | Re: Connect to postgres from a dynamic IP |
| Previous Message | dmp | 2008-03-04 02:07:47 | Re: PostgreSQL Array Use |