From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Vince Vielhaber <vev(at)michvhf(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: md5 again |
Date: | 2000-07-11 17:58:56 |
Message-ID: | 200007111758.NAA13380@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> And so would the postmaster ;-). The problem here is that the hashed
> username has to be sent, and there can be no hidden salt involved
> since it's the first step of the protocol. So the attacker knows
> exactly what the hashed username is, and if he can guess the username
> then he can verify it. Then he moves on to guessing/verifying the
> password. I still don't see a material gain in security here, given
> that I believe usernames are likely to be pretty easy to guess.
Just do a 'ps' and you have the username for each connection.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Lamar Owen | 2000-07-11 18:05:34 | Re: Slashdot discussion |
Previous Message | Tom Lane | 2000-07-11 17:52:23 | Re: md5 again |