| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> |
| Cc: | "Clay Luther" <claycle(at)cisco(dot)com>, "John K(dot) Herreshoff" <jkherr(at)centurytel(dot)net>, pgsql-odbc(at)postgresql(dot)org |
| Subject: | Re: odbc - ssl: how-to-do-it. |
| Date: | 2003-05-29 13:56:53 |
| Message-ID: | 17266.1054216613@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-odbc |
"Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> writes:
>> Is there any way/what are the ways to secure the passwords
>> sent by the PGODBC driver to the DB?
> Use md5 passwords. It won't prevent a replay attack, but at least they
> won't be plain text.
Actually md5 does make a replay attack substantially harder. What goes
over the wire is an md5 checksum of the cleartext password plus username
plus a 4-byte salt chosen on-the-fly by the server. So a replay
attacker would have to be lucky enough to be challenged with the same
salt he'd seen used before.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2003-05-29 14:37:27 | Re: odbc - ssl: how-to-do-it. |
| Previous Message | Chris Gamache | 2003-05-29 13:11:10 | Re: odbc - ssl: how-to-do-it. |