Home > mailing lists

Re: Is md5 really more secure than crypt? - Mailing list pgsql-general

From	Tom Lane
Subject	Re: Is md5 really more secure than crypt?
Date	June 14, 2002 16:31:54
Msg-id	7407.1024074879@sss.pgh.pa.us Whole thread Raw
In response to	Is md5 really more secure than crypt? ("murphy pope" <pope_murphy@hotmail.com>)
Responses	Re: Is md5 really more secure than crypt? (Bruce Momjian <pgman@candle.pha.pa.us>)
List	pgsql-general

Tree view

"murphy pope" <pope_murphy@hotmail.com> writes:
> But, if can peek at the server's user/password checksum (in the pg_pwd
> file), I can connect to a server, get the server's salt, and combine it with
> the stolen checksum, arriving at the checksum expected by the server.

Hmm.  The double hashing scheme was supposed to prevent that attack,
but looking at the code I think maybe it got implemented incorrectly.
We should go back and look at the design discussions to see if this
wasn't foreseen.

            regards, tom lane

pgsql-general by date:

From: Darren Ferguson
Date: 14 June 2002, 16:31:43
Subject: Re: jobs.postgresql.org - Who's interested?

From: "Nigel J. Andrews"
Date: 14 June 2002, 16:34:29
Subject: Re: I must be blind...

Re: Is md5 really more secure than crypt? - Mailing list pgsql-general

Previous

Next