Re: MD5 passwords - Mailing list pgsql-docs

From Thom Brown
Subject Re: MD5 passwords
Date
Msg-id AANLkTilcSzlyT3pZWYmWxeCFuR6c1tTNbEXvJo72yOzL@mail.gmail.com
Whole thread Raw
In response to MD5 passwords  (Andre Majorel <aym-2lqsgp@teaser.fr>)
Responses Re: MD5 passwords  (Thom Brown <thombrown@gmail.com>)
List pgsql-docs
On 8 July 2010 11:46, Andre Majorel <aym-2lqsgp@teaser.fr> wrote:
> The doc says « if you are at all concerned about password
> "sniffing" attacks then md5 is preferred. » but does not say why.
> It would seem that an MD5 hash can be sniffed and replayed just as
> well as a clear-text password.
>
> Maybe the doc needs to explain why "md5" is more secure than
> "password". Or, if it isn't, say so.
>

I believe the client hashes the password using MD5 and a salt, the
latter part being a random one sent to the client by the server, so
sniffing the password would be useless as you would have to have
sniffed the salt (strange phrase but there you go), have sniffed the
password, *and* be asked for exactly the same salt by the server
again.

I'm sure that's mentioned in the docs somewhere, although not on the
normal authentication page.

Thom

pgsql-docs by date:

Previous
From: Andre Majorel
Date:
Subject: MD5 passwords
Next
From: Thom Brown
Date:
Subject: Re: MD5 passwords