| From: | Vince Vielhaber <vev(at)michvhf(dot)com> |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: md5 again |
| Date: | 2000-07-11 19:28:49 |
| Message-ID: | Pine.BSF.4.21.0007111528060.98588-100000@paprika.michvhf.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 11 Jul 2000, Bruce Momjian wrote:
> > And so would the postmaster ;-). The problem here is that the hashed
> > username has to be sent, and there can be no hidden salt involved
> > since it's the first step of the protocol. So the attacker knows
> > exactly what the hashed username is, and if he can guess the username
> > then he can verify it. Then he moves on to guessing/verifying the
> > password. I still don't see a material gain in security here, given
> > that I believe usernames are likely to be pretty easy to guess.
>
> Just do a 'ps' and you have the username for each connection.
True, but I was more concerned with remote sniffing.
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jan Wieck | 2000-07-11 19:33:08 | Re: update on TOAST status' |
| Previous Message | Vince Vielhaber | 2000-07-11 19:27:11 | Re: md5 again |