Stephen Frost <sfrost@xxxxxxxxxxx> writes: > * Nagy László Zsolt (gandalf@xxxxxxxxxxxx) wrote: >> Am I missing something? > There is a challenge/response compoent, so the md5 hash which is stored > is not what is sent across the wire. That prevents replay attacks when > the attacker is simply sniffing the network. Worth noting here is that the challenge key space is not all that huge, so an attacker who captures a large number of challenge/response pairs would have a good probability of being able to answer the next challenge successfully. However, if you're concerned about sniffing of your database connections happening on that scale, you really ought to be using SSL encryption which would make the whole thing moot. In many cases, capturing a database session would reveal lots of interesting data passing over the wire whether or not you'd captured a usable password --- so I'd call it fairly irresponsible to not be using SSL if you think your connection is open to sniffing. regards, tom lane -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
