| From: | Benjamin Adida <ben(at)mit(dot)edu> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Vince Vielhaber <vev(at)michvhf(dot)com>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Date: | 2000-05-06 18:21:10 |
| Message-ID: | B539DAD6.3715%ben@mit.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
on 5/6/00 2:14 PM, Tom Lane at tgl(at)sss(dot)pgh(dot)pa(dot)us wrote:
> However, I still fail to see what it buys us to challenge the frontend
> with two salts. If the password is stored crypted, the *only* thing
> we can validate is that password with the same salt it was stored
> with. It doesn't sound like MD5 changes this at all.
The MD5 definitely doesn't change anything except overall security strength
of the algorithm. The additional random salt prevents someone from sniffing
the communication between client and server and then simply log in by
sending the known hash of the password. The challenge-response means that
sniffing one login doesn't allow you to fake the next one.
-Ben
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert B. Easter | 2000-05-06 18:26:09 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Previous Message | Tom Lane | 2000-05-06 18:14:13 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert B. Easter | 2000-05-06 18:26:09 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Previous Message | Tom Lane | 2000-05-06 18:14:13 | Re: You're on SecurityFocus.com for the cleartext passwords. |