Re: How passwords can be crypted in postgres?
| От | Karl DeBisschop |
|---|---|
| Тема | Re: How passwords can be crypted in postgres? |
| Дата | |
| Msg-id | 3A51CD21.720D6804@debisschop.net обсуждение исходный текст |
| Ответ на | Re: How passwords can be crypted in postgres? (The Hermit Hacker <scrappy@hub.org>) |
| Список | pgsql-general |
Jens Hartwig wrote: > > > [...] > > Isn't this just as bad? If you store the encrypted password, that doesn't > > help you in the slightest in this case, because if you can breach the list > > of encrypted passwords, you still know what you need to send as the > > "password" from the front end to let you into the database. > > [...] > > If you encrypt the input from the frontend as well and compare the > encrypted strings it will not help you to look into the list of > encrypted passwords ... or am I wrong? Slightly wrong -- you need to fetch the salt from the database first. But even so, if you then transmit this ENCRYPTED password, it can be sniffed, and the results of that sniff are all that are needed to access the system. -- Karl DeBisschop kdebisschop@alert.infoplease.com Learning Network/Information Please http://www.infoplease.com Netsaint Plugin Developer kdebisschop@users.sourceforge.net
В списке pgsql-general по дате отправления: