Re: md5 again
| От | Bruce Momjian |
|---|---|
| Тема | Re: md5 again |
| Дата | |
| Msg-id | 200007111651.MAA11516@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: md5 again (Vince Vielhaber <vev@michvhf.com>) |
| Ответы |
Re: md5 again
|
| Список | pgsql-hackers |
> > > If CL sends the MD5 of the username rather than the plaintext username, > > > only CL and PG will know what the username is. PG will know it by > > > comparing it with the MD5 of every username in pg_shadow. So even if the > > > wire is being sniffed the unhashed username can be used in the password's > > > encryption along with the salt sent by PG. This method will take longer > > > for a user to log in, but the login process is only per session, not per > > > SQL call. > > > > A linear search of pg_shadow to log in is not acceptable; we don't want > > to make login any slower than we have to. I see no real gain in security > > from doing this anyway... > > By knowing what PG will do with the username and random salt, sniffing > the wire can make guessing the password trivial. If the username was > never sent over the wire in the clear the unhashed username is an unknown > salt to he who is sniffing. But it's true that it would introduce a > slower than necessary login. > Does it? I thought it was the password being run through MD5 that made it secure. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
В списке pgsql-hackers по дате отправления: