Re: odbc - ssl: how-to-do-it.

> -----Original Message-----
> From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
> Sent: 29 May 2003 14:57
> To: Dave Page
> Cc: Clay Luther; John K. Herreshoff; pgsql-odbc@postgresql.org
> Subject: Re: [ODBC] odbc - ssl: how-to-do-it.
>
>
> "Dave Page" <dpage@vale-housing.co.uk> writes:
> >> Is there any way/what are the ways to secure the passwords
> >> sent by the PGODBC driver to the DB?
>
> > Use md5 passwords. It won't prevent a replay attack, but at
> least they
> > won't be plain text.
>
> Actually md5 does make a replay attack substantially harder.
> What goes over the wire is an md5 checksum of the cleartext
> password plus username plus a 4-byte salt chosen on-the-fly
> by the server.  So a replay attacker would have to be lucky
> enough to be challenged with the same salt he'd seen used before.

Ahh, I thought it sent just the password checksum and compared it to the
md5 checksum in pg_shadow - thanks.

Regards, Dave.