* Michael Samuel (m...@miknet.net) wrote: > - I don't recommend storing the password in cleartext > - I *do* recommend exchanging the password in cleartext over the network
And I will continue to argue that it's far worse these days to send the
password in cleartext across the wire.
> This is because the exchange network protocol is vulnerable to "pass
> the hash" - so somebody who has your pg_shadow but can't crack your
> password can still use the hash to login.
Where would they get the pg_authid entry from? It's not directly
visible in the network traffic because PG using a challenge/response
system with md5.
> In the thread it was pointed out that the network protocol is
> vulnerable to session hijacking. Additionally, the challenge-response
> protocol is vulnerable to extremely fast password searches. This is
> just another broken ad-hoc challenge-response protocol to be added to
> the heap. If anyone from postgres is interested in putting a
> network-compatible fix for password hashing in, feel free to contact
> me.
No, it isn't a great challenge/response, but it's certainly better than
just forgoing all of that and sending the password in cleartext.
To be clear, I *am* from the PostgreSQL community and I'd be happy to
discuss any useful suggestions about providing an alternative that
doesn't break the wireline protocol, because as far as I'm aware that's
not possible to do. The wireline protocol is quite clear about what it
requires and we have quite a few client-side implementations to
consider.
Note that this is specifically why other authentication methods are
available and encouraged with PG.
Thanks,
Stephen
signature.asc
Description: Digital signature
