Re: Security WAS RE: [HACKERS] Updated TODO list
| От | Gene Sokolov |
|---|---|
| Тема | Re: Security WAS RE: [HACKERS] Updated TODO list |
| Дата | |
| Msg-id | 014201becf63$cd8b4140$0d8cdac3@aktrad.ru обсуждение исходный текст |
| Ответ на | Security WAS RE: [HACKERS] Updated TODO list ("Ansley, Michael" <Michael.Ansley@intec.co.za>) |
| Список | pgsql-hackers |
From: Ansley, Michael <Michael.Ansley@intec.co.za> > I think the point is that you wouldn't, but the most important part is to > get it off the wire. Let someone do that first, and then worry about what > the administrator can see. One would hope that your administrator is more > trustworthy than joe hacker out on the network. > >> Why would you want to make it visible to anyone? > >> > >> Vince. > > As a user, I would be extremely concerned if I knew that my password was > fairly transparent on the network, but less so if I knew that the wire was > safe, although my admin could see it. First prize would, of course, be > total secrecy. I have no idea where this misconception came from, but it's just plain incorrect. You can do both - store hashes instead of plaintext passwords and send logins securely over the network. Yes, the current authentication scheme does not allow for it. But it just means that the scheme is outdated. There are plenty of good secure solutions. It's just a matter of choosing one. Gene Sokolov.
В списке pgsql-hackers по дате отправления: