Skip site navigation (1) Skip section navigation (2)

Re: ODBC problem

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Tom Samplonius <tom(at)sdf(dot)com>, Cedar Cox <cedarc(at)visionforisrael(dot)com>, "George P(dot) Esperanza" <george(at)calamba(dot)laguna(dot)net>, pgsql-interfaces(at)postgresql(dot)org
Subject: Re: ODBC problem
Date: 2000-10-09 16:45:36
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-interfaces
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> Tom Samplonius writes:
>> Except for the fact that crypt provides little if no security increase.
>> Even though only a crypted password is sent over the wire, that crypted
>> password can still be captured off the wire and replayed to get access.

> Only if you happen to get the same salt from the server every time, which
> is rather unlikely.

However, the standard crypt algorithm only has a small number of
distinct salt values, so an attacker who's sniffed one login transaction
can connect repeatedly until challenged with the same salt he saw used

We have talked about adding a higher-security login protocol --- you can
find past threads about this in the pghackers archive.  IIRC a fairly
complete design was worked out, but no one's got round to implementing
it yet.  There might still have been some unresolved objections, too.

			regards, tom lane

In response to


pgsql-interfaces by date

Next:From: Tim DruryDate: 2000-10-09 19:15:25
Subject: faq/archives & question
Previous:From: Peter EisentrautDate: 2000-10-09 16:32:10
Subject: Re: ODBC problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group