From: | Benjamin Adida <ben(at)mit(dot)edu> |
---|---|
To: | Vince Vielhaber <vev(at)michvhf(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Benjamin Adida <ben(at)mit(dot)edu>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
Date: | 2000-05-06 18:41:57 |
Message-ID: | B539DFB5.371E%ben@mit.edu |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
on 5/6/00 2:40 PM, Vince Vielhaber at vev(at)michvhf(dot)com wrote:
> Why should this work? Because the next time the client tries to connect
> it will be given a different salt. But why twice? It seems that once
> would be enough since it's a random salt to begin with and the client
> should never be getting that salt twice.
No, the reason why you would have "two" hashes is so that the server doesn't
have to store the cleartext password. The server stores an already-hashed
version of the password, so the client must hash the cleartext twice, once
with a long-term salt, once with a random, one-time salt.
-Ben
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2000-05-06 18:43:37 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Vince Vielhaber | 2000-05-06 18:40:41 | Re: You're on SecurityFocus.com for the cleartext passwords. |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2000-05-06 18:43:37 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Vince Vielhaber | 2000-05-06 18:40:41 | Re: You're on SecurityFocus.com for the cleartext passwords. |