From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> |
Cc: | "Clay Luther" <claycle(at)cisco(dot)com>, "John K(dot) Herreshoff" <jkherr(at)centurytel(dot)net>, pgsql-odbc(at)postgresql(dot)org |
Subject: | Re: odbc - ssl: how-to-do-it. |
Date: | 2003-05-29 13:56:53 |
Message-ID: | 17266.1054216613@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-odbc |
"Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> writes:
>> Is there any way/what are the ways to secure the passwords
>> sent by the PGODBC driver to the DB?
> Use md5 passwords. It won't prevent a replay attack, but at least they
> won't be plain text.
Actually md5 does make a replay attack substantially harder. What goes
over the wire is an md5 checksum of the cleartext password plus username
plus a 4-byte salt chosen on-the-fly by the server. So a replay
attacker would have to be lucky enough to be challenged with the same
salt he'd seen used before.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2003-05-29 14:37:27 | Re: odbc - ssl: how-to-do-it. |
Previous Message | Chris Gamache | 2003-05-29 13:11:10 | Re: odbc - ssl: how-to-do-it. |