Home > mailing lists

md5 auth procotol - can it be replayed? - Mailing list pgsql-admin

From	Nagy László Zsolt
Subject	md5 auth procotol - can it be replayed?
Date	May 7, 2016 18:38:34
Msg-id	572E0BFE.7040709@shopzeus.com Whole thread Raw
Responses	Re: md5 auth procotol - can it be replayed? (Stephen Frost <sfrost@snowman.net>)
List	pgsql-admin

Tree view

How the md5 hashed authentication method works? Is it protected against
replay attacks? Here is what I have in mind:

* If the server stores salted hashed passwords, then I do not see how
the server could authenticate the users without getting the password in
clear text?
* If the server stores (unsalted) password hash values, then basically
there is almost no difference between a clear text password and an md5
hash, because anyone can replay the send the same hash value and log in
again.

Am I missing something?

Thanks,

   Laszlo

pgsql-admin by date:

From: Alvaro Herrera
Date: 06 May 2016, 20:25:35
Subject: Re: Autovacuum of pg_database

From: Stephen Frost
Date: 07 May 2016, 18:51:29
Subject: Re: md5 auth procotol - can it be replayed?

md5 auth procotol - can it be replayed? - Mailing list pgsql-admin

Previous

Next