| From: | brian <brian(at)zijn-digital(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Connect to postgres from a dynamic IP |
| Date: | 2008-03-04 03:15:11 |
| Message-ID: | 47CCBEBF.1010903@zijn-digital.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Jorge Godoy wrote:
> Em Monday 03 March 2008 13:17:03 você escreveu:
>> My understanding is no password is sent in the clear with md5 per:
>>
>> http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW
>> ORD
>
> But the MD5 hash is. This page states that the password can't be directly
> sniffed, but one can still get the hash of the password and perform a
> dictionary attack against it on a local copy (i.e., without ever trying to
> connect to the server).
>
> After a successful attack then one can connect directly to the server as if
> the password was known to him/her.
>
No sense in pretending. I should think that password *would* be known in
that scenario.
(ignoring hash collisions, of course)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Brendan Jurd | 2008-03-04 03:15:53 | Re: [GENERAL] Empty arrays with ARRAY[] |
| Previous Message | Jorge Godoy | 2008-03-04 02:41:50 | Re: Connect to postgres from a dynamic IP |