Postgres Pro
Downloads
Home   >   mailing lists

Thread: MD5 passwords

MD5 passwords

From
Andre Majorel
Date:
The doc says « if you are at all concerned about password
"sniffing" attacks then md5 is preferred. » but does not say why.
It would seem that an MD5 hash can be sniffed and replayed just as
well as a clear-text password.

Maybe the doc needs to explain why "md5" is more secure than
"password". Or, if it isn't, say so.

--
André Majorel http://www.teaser.fr/~amajorel/

Re: MD5 passwords

From
Thom Brown
Date:
On 8 July 2010 11:46, Andre Majorel <aym-2lqsgp@teaser.fr> wrote:
> The doc says « if you are at all concerned about password
> "sniffing" attacks then md5 is preferred. » but does not say why.
> It would seem that an MD5 hash can be sniffed and replayed just as
> well as a clear-text password.
>
> Maybe the doc needs to explain why "md5" is more secure than
> "password". Or, if it isn't, say so.
>

I believe the client hashes the password using MD5 and a salt, the
latter part being a random one sent to the client by the server, so
sniffing the password would be useless as you would have to have
sniffed the salt (strange phrase but there you go), have sniffed the
password, *and* be asked for exactly the same salt by the server
again.

I'm sure that's mentioned in the docs somewhere, although not on the
normal authentication page.

Thom

Re: MD5 passwords

From
Thom Brown
Date:
On 8 July 2010 14:05, Thom Brown <thombrown@gmail.com> wrote:
> On 8 July 2010 11:46, Andre Majorel <aym-2lqsgp@teaser.fr> wrote:
>> The doc says « if you are at all concerned about password
>> "sniffing" attacks then md5 is preferred. » but does not say why.
>> It would seem that an MD5 hash can be sniffed and replayed just as
>> well as a clear-text password.
>>
>> Maybe the doc needs to explain why "md5" is more secure than
>> "password". Or, if it isn't, say so.
>>
>
> I believe the client hashes the password using MD5 and a salt, the
> latter part being a random one sent to the client by the server, so
> sniffing the password would be useless as you would have to have
> sniffed the salt (strange phrase but there you go), have sniffed the
> password, *and* be asked for exactly the same salt by the server
> again.
>
> I'm sure that's mentioned in the docs somewhere, although not on the
> normal authentication page.
>

Aha, I've found it:
http://www.postgresql.org/docs/current/static/encryption-options.html

Thom