Re: Postgresql -- initial impressions and comments
| От | Bruce Momjian |
|---|---|
| Тема | Re: Postgresql -- initial impressions and comments |
| Дата | |
| Msg-id | 200212032337.gB3Nb7r02341@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: Postgresql -- initial impressions and comments (Tycho Fruru <tycho@fruru.com>) |
| Список | pgsql-general |
Tycho Fruru wrote: > > 7.3 stores encrypted MD5 passowords in database (7.2 it is optional). > > We send random salt to client and client double-MD5 encrypts, so > > playback will not work --- best of both worlds. > > So, if I understand it correctly : > > - on the wire : no cleartext passwords, only doubly hashed + salted > passwords -> no replay possible (watch out for session hijacking though) > nor password sniffing > Right. > - in the database : no cleartext passwords are stored, but access to the > md5 hashed passwords is sufficient to get access to the database - > without really knowing the user's password - by using a modified client. Right. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
В списке pgsql-general по дате отправления: