| From: | Tom Samplonius <tom(at)sdf(dot)com> |
|---|---|
| To: | Cedar Cox <cedarc(at)visionforisrael(dot)com> |
| Cc: | "George P(dot) Esperanza" <george(at)calamba(dot)laguna(dot)net>, pgsql-interfaces(at)postgresql(dot)org |
| Subject: | Re: ODBC problem |
| Date: | 2000-10-08 23:53:04 |
| Message-ID: | Pine.BSF.4.05.10010081646250.11008-100000@misery.sdf.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-interfaces |
On Sat, 7 Oct 2000, Cedar Cox wrote:
> > By the way, my Postgres server is configured to "crypt" authentication
> > type.
>
> That's the reason... My understanding is that there is no libcrypt for
> win32 so the windows ODBC driver doesn't support crypt passwords. Allow
> passwords in the clear (change 'crypt' to 'password' in pg_hba.conf) and
> it should work fine. Of course this could be a security hole so be
> careful what you do. Be sure to limit the IPs that are allowed to
> connect.
Except for the fact that crypt provides little if no security increase.
Even though only a crypted password is sent over the wire, that crypted
password can still be captured off the wire and replayed to get access.
Plus crypt is a rather fast algorithm, making it easy to brute-force.
Of course, this is all pretty typical for databases. Most databases
transmit passwords in the clear. Some try a lame scramble, which is
trivial to unscramble and worse than crypt in that it is easy to reverse.
Even databases that don't transmit the password in the clear can by easily
broken by a replay attack, or if driver source is available, simply patch
the driver to accept already encrypted passwords.
Tom
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Deniz Hastorun | 2000-10-09 08:55:05 | problem connecting with libpq++ interface |
| Previous Message | David N. Welton | 2000-10-08 23:10:02 | Re: TCL API |