From: | Thom Brown <thombrown(at)gmail(dot)com> |
---|---|
To: | Andre Majorel <aym-2lqsgp(at)teaser(dot)fr> |
Cc: | pgsql-docs(at)postgresql(dot)org |
Subject: | Re: MD5 passwords |
Date: | 2010-07-08 14:23:20 |
Message-ID: | AANLkTimA_1C7fDQVlRcXkWcaakq8QgsxQM1wCeZahLIh@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
On 8 July 2010 14:05, Thom Brown <thombrown(at)gmail(dot)com> wrote:
> On 8 July 2010 11:46, Andre Majorel <aym-2lqsgp(at)teaser(dot)fr> wrote:
>> The doc says « if you are at all concerned about password
>> "sniffing" attacks then md5 is preferred. » but does not say why.
>> It would seem that an MD5 hash can be sniffed and replayed just as
>> well as a clear-text password.
>>
>> Maybe the doc needs to explain why "md5" is more secure than
>> "password". Or, if it isn't, say so.
>>
>
> I believe the client hashes the password using MD5 and a salt, the
> latter part being a random one sent to the client by the server, so
> sniffing the password would be useless as you would have to have
> sniffed the salt (strange phrase but there you go), have sniffed the
> password, *and* be asked for exactly the same salt by the server
> again.
>
> I'm sure that's mentioned in the docs somewhere, although not on the
> normal authentication page.
>
Aha, I've found it:
http://www.postgresql.org/docs/current/static/encryption-options.html
Thom
From | Date | Subject | |
---|---|---|---|
Next Message | Marc Cousin | 2010-07-08 14:28:30 | CREATE OPERATOR and precedence |
Previous Message | Thom Brown | 2010-07-08 13:05:07 | Re: MD5 passwords |