Re: md5 again

On Tue, 11 Jul 2000, Bruce Momjian wrote:

> > > > If CL sends the MD5 of the username rather than the plaintext username,
> > > > only CL and PG will know what the username is. PG will know it by
> > > > comparing it with the MD5 of every username in pg_shadow. So even if the
> > > > wire is being sniffed the unhashed username can be used in the password's
> > > > encryption along with the salt sent by PG. This method will take longer
> > > > for a user to log in, but the login process is only per session, not per
> > > > SQL call.
> > >
> > > A linear search of pg_shadow to log in is not acceptable; we don't want
> > > to make login any slower than we have to. I see no real gain in security
> > > from doing this anyway...
> >
> > By knowing what PG will do with the username and random salt, sniffing
> > the wire can make guessing the password trivial. If the username was
> > never sent over the wire in the clear the unhashed username is an unknown
> > salt to he who is sniffing. But it's true that it would introduce a
> > slower than necessary login.
> >
>
> Does it? I thought it was the password being run through MD5 that made
> it secure.

Simple dictionary passwords. Run them thru a script and compare the
output.

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================