Home > mailing lists

Re: Rejecting weak passwords - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Rejecting weak passwords
Date	October 14, 2009 18:18:12
Msg-id	5834.1255555073@sss.pgh.pa.us Whole thread Raw
In response to	Re: Rejecting weak passwords ("Kevin Grittner" <Kevin.Grittner@wicourts.gov>)
Responses	Re: Rejecting weak passwords Re: Rejecting weak passwords
List	pgsql-hackers

Tree view

"Kevin Grittner" <Kevin.Grittner@wicourts.gov> writes:
> And, perhaps slightly off topic: if the login password is sent over a
> non-encrypted stream, md5sum or not, can't someone use it to log in if
> they're generating their own stream to connect?

Not if they only capture a login exchange --- the password is doubly
encrypted during that.  If they see the md5'd password in a CREATE USER
command, then yeah, they could pass a subsequent md5 challenge, using
suitably modified client software that doesn't try to re-encrypt the
given password.

But the main point is to hide the cleartext password, in any case.
        regards, tom lane

pgsql-hackers by date:

From: "Kevin Grittner"
Date: 14 October 2009, 18:14:54
Subject: Re: Could regexp_matches be immutable?

From: Peter Eisentraut
Date: 14 October 2009, 18:27:19
Subject: Re: What does this configure warning mean?

Re: Rejecting weak passwords - Mailing list pgsql-hackers

Previous

Next