| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Lincoln Yeoh <lylyeoh(at)mecomb(dot)com> |
| Cc: | Jim Mercer <jim(at)reptiles(dot)org>, David Duddleston <david(at)i2a(dot)com>, pgsql-general(at)hub(dot)org |
| Subject: | Re: PostgreSQL cleartext passwords |
| Date: | 2000-05-19 01:59:41 |
| Message-ID: | 26585.958701581@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Lincoln Yeoh <lylyeoh(at)mecomb(dot)com> writes:
> At 05:38 PM 18-05-2000 -0400, Tom Lane wrote:
>> Not so! "crypt" authentication provides for sending passwords in
>> crypted form during login (which is good if you're afraid of password-
>> sniffers, but then maybe you should be using SSL to protect your whole
>> session, not only the password). But it doesn't change the contents
>> of pg_shadow.
> But if someone sniffs the crypted form, won't they be able to reuse it?
Not unless they're lucky enough to be challenged with the same random
"salt" value that was used in the login transaction they sniffed.
I don't particularly care to rehash the *very* long discussion we just
went through on the hackers list. Suffice it to say that the current
method is not a waste of time, but it could be made better. See the
archives (if Marc ever gets them working again :-() for details.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | ddd | 2000-05-19 02:03:49 | Re: Am I really stupid??? |
| Previous Message | Lincoln Yeoh | 2000-05-19 01:49:07 | Re: PostgreSQL cleartext passwords |