Skip site navigation (1) Skip section navigation (2)

Re: ODBC problem

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Tom Samplonius <tom(at)sdf(dot)com>, Cedar Cox <cedarc(at)visionforisrael(dot)com>, "George P(dot) Esperanza" <george(at)calamba(dot)laguna(dot)net>, pgsql-interfaces(at)postgresql(dot)org
Subject: Re: ODBC problem
Date: 2000-10-09 16:45:36
Message-ID: 25669.971109936@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-interfaces
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> Tom Samplonius writes:
>> Except for the fact that crypt provides little if no security increase.
>> Even though only a crypted password is sent over the wire, that crypted
>> password can still be captured off the wire and replayed to get access.

> Only if you happen to get the same salt from the server every time, which
> is rather unlikely.

However, the standard crypt algorithm only has a small number of
distinct salt values, so an attacker who's sniffed one login transaction
can connect repeatedly until challenged with the same salt he saw used
before.

We have talked about adding a higher-security login protocol --- you can
find past threads about this in the pghackers archive.  IIRC a fairly
complete design was worked out, but no one's got round to implementing
it yet.  There might still have been some unresolved objections, too.

			regards, tom lane

In response to

Responses

pgsql-interfaces by date

Next:From: Tim DruryDate: 2000-10-09 19:15:25
Subject: faq/archives & question
Previous:From: Peter EisentrautDate: 2000-10-09 16:32:10
Subject: Re: ODBC problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group