| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, Dave Page <dpage(at)vale-housing(dot)co(dot)uk> |
| Subject: | Re: [pgadmin-hackers] Client-side password encryption |
| Date: | 2005-12-23 05:39:51 |
| Message-ID: | 16420.1135316391@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers pgsql-hackers |
Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> writes:
> AndrewSN can't post at the moment, but asked me to post this for him:
> "Knowing the md5 hash is enough to authenticate via the 'md5' method in
> pg_hba.conf, even if you don't know the original password.
If you know the md5 hash, you know everything the postmaster does, so
it's hard to see where such an attacker is going to be stopped. The
entire point here is not to expose the cleartext password, and that
really has nothing to do with whether you're going to break into the
PG database. It's about protecting users who are foolish enough to
use the same cleartext password for multiple services.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2005-12-23 08:24:07 | Re: pga_next_schedule function bug |
| Previous Message | Christopher Kings-Lynne | 2005-12-23 05:19:31 | Re: [pgadmin-hackers] Client-side password encryption |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2005-12-23 10:18:43 | Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and |
| Previous Message | Christopher Kings-Lynne | 2005-12-23 05:19:31 | Re: [pgadmin-hackers] Client-side password encryption |