Re: Re: Encrypting pg_shadow passwords

> On Tue, Jun 26, 2001 at 11:02:15AM -0400, Bruce Momjian wrote:
> > This is the first time I am hearing people are more concerned about
> > pg_shadow security than the wire security.  I can see cases where people
> > are on secure networks or are using only local users where having
> > pg_shadow encrypted is more important than crypt authentication. 
> > Fortunately the new system will solve both problems.
> 
> The crypt authentication currently used offers _no_ security.  If I can
> sniff on the wire, I can hijack the tcp stream, and trick the client
> into doing password authentication.

It is my understanding that sniffing is much easier than hijacking.  If
hijacking is a concern, you have to use SSL.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026