Skip site navigation (1) Skip section navigation (2)

Re: ODBC problem

From: Tom Samplonius <tom(at)sdf(dot)com>
To: Cedar Cox <cedarc(at)visionforisrael(dot)com>
Cc: "George P(dot) Esperanza" <george(at)calamba(dot)laguna(dot)net>, pgsql-interfaces(at)postgresql(dot)org
Subject: Re: ODBC problem
Date: 2000-10-08 23:53:04
Message-ID: Pine.BSF.4.05.10010081646250.11008-100000@misery.sdf.com (view raw or flat)
Thread:
Lists: pgsql-interfaces
On Sat, 7 Oct 2000, Cedar Cox wrote:

> > By the way, my Postgres server is configured to "crypt" authentication
> > type.
> 
> That's the reason... My understanding is that there is no libcrypt for
> win32 so the windows ODBC driver doesn't support crypt passwords.  Allow
> passwords in the clear (change 'crypt' to 'password' in pg_hba.conf) and
> it should work fine.  Of course this could be a security hole so be
> careful what you do.  Be sure to limit the IPs that are allowed to
> connect.

  Except for the fact that crypt provides little if no security increase.
Even though only a crypted password is sent over the wire, that crypted
password can still be captured off the wire and replayed to get access.
Plus crypt is a rather fast algorithm, making it easy to brute-force.

  Of course, this is all pretty typical for databases.  Most databases
transmit passwords in the clear.  Some try a lame scramble, which is
trivial to unscramble and worse than crypt in that it is easy to reverse.
Even databases that don't transmit the password in the clear can by easily
broken by a replay attack, or if driver source is available, simply patch
the driver to accept already encrypted passwords.


Tom


In response to

Responses

pgsql-interfaces by date

Next:From: Deniz HastorunDate: 2000-10-09 08:55:05
Subject: problem connecting with libpq++ interface
Previous:From: David N. WeltonDate: 2000-10-08 23:10:02
Subject: Re: TCL API

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group