Re: PostgreSQL Password Cracker

<br /><br /> Tom Lane wrote:<br /><blockquote cite="mid1331.1041357853@sss.pgh.pa.us" type="cite"><pre wrap="">Devrim
GUNDUZ<a class="moz-txt-link-rfc2396E" href="mailto:devrim@tr.net"><devrim@tr.net></a> writes: </pre><blockquote
type="cite"><prewrap="">I had no time to search throug the code; but as far as I understood, it
 
*attacks* the database servers with TCP/IP on, right?   </pre></blockquote><pre wrap="">
No, the program itself simply takes an MD5 hash value and does a
brute-force search for a password that generates that MD5 string.

The comments at the top suggest sniffing a Postgres session startup
exchange in order to see the MD5 value that the user presents; which the
attacker would then give to this program.  (Forget it if the session is
Unix-local rather than TCP, or if it's SSL-encrypted...)

This is certainly a theoretically possible attack against someone who
has no clue about security, but I don't put any stock in it as a
practical attack.  For starters, if you are talking to your database
across a network that is open to hostile sniffers, you should definitely
be using SSL. </pre></blockquote> This is absolutely correct, shouldn't this be in the FAQ?<br /><blockquote
cite="mid1331.1041357853@sss.pgh.pa.us"type="cite"><pre wrap=""> </pre></blockquote><br />