Skip site navigation (1) Skip section navigation (2)

Re: PostgreSQL Password Cracker

From: mlw <pgsql(at)mohawksoft(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Devrim GUNDUZ <devrim(at)tr(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: PostgreSQL Password Cracker
Date: 2003-01-01 23:02:12
Message-ID: 3E137374.4070305@mohawksoft.com (view raw or flat)
Thread:
Lists: pgsql-hackers

Tom Lane wrote:

>Devrim GUNDUZ <devrim(at)tr(dot)net> writes:
>  
>
>>I had no time to search throug the code; but as far as I understood, it
>>*attacks* the database servers with TCP/IP on, right?
>>    
>>
>
>No, the program itself simply takes an MD5 hash value and does a
>brute-force search for a password that generates that MD5 string.
>
>The comments at the top suggest sniffing a Postgres session startup
>exchange in order to see the MD5 value that the user presents; which the
>attacker would then give to this program.  (Forget it if the session is
>Unix-local rather than TCP, or if it's SSL-encrypted...)
>
>This is certainly a theoretically possible attack against someone who
>has no clue about security, but I don't put any stock in it as a
>practical attack.  For starters, if you are talking to your database
>across a network that is open to hostile sniffers, you should definitely
>be using SSL.
>  
>
This is absolutely correct, shouldn't this be in the FAQ?

>  
>

In response to

Responses

pgsql-hackers by date

Next:From: Tatsuo IshiiDate: 2003-01-01 23:06:05
Subject: Re: Postgresql, unicode and umlauts
Previous:From: Stephan SzaboDate: 2003-01-01 21:47:34
Subject: Re: Bug in pg_get_constraintdef (for deferrable constraints)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group