Home > mailing lists

Re: md5 again - Mailing list pgsql-hackers

From	Bruce Momjian
Subject	Re: md5 again
Date	July 11, 2000 17:00:58
Msg-id	200007111758.NAA13380@candle.pha.pa.us Whole thread Raw
In response to	Re: md5 again (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: md5 again (Vince Vielhaber <vev@michvhf.com>)
List	pgsql-hackers

Tree view

> And so would the postmaster ;-).  The problem here is that the hashed
> username has to be sent, and there can be no hidden salt involved
> since it's the first step of the protocol.  So the attacker knows
> exactly what the hashed username is, and if he can guess the username
> then he can verify it.  Then he moves on to guessing/verifying the
> password.  I still don't see a material gain in security here, given
> that I believe usernames are likely to be pretty easy to guess.

Just do a 'ps' and you have the username for each connection.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026

pgsql-hackers by date:

From: Tom Lane
Date: 11 July 2000, 16:53:31
Subject: Re: md5 again

From: "Mikheev, Vadim"
Date: 11 July 2000, 17:26:37
Subject: RE: postgres 7.2 features.

Re: md5 again - Mailing list pgsql-hackers

Previous

Next