Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Kevin Grittner" <Kevin(dot)Grittner(at)wicourts(dot)gov> writes:
>> if the login password is sent over a non-encrypted stream, md5sum
>> or not, can't someone use it to log in if they're generating their
>> own stream to connect?
> If they see the md5'd password in a CREATE USER command, then yeah
So anyone in a truly security-conscious environment should only change
the password through a trusted connection, whether or not it is md5'd?
(Trusted here meaning that the connection has suitable encryption or
it is local to the server, which is suitably secured.)
> But the main point is to hide the cleartext password, in any case.
Sure, sorry to drift off-topic, but the thought kept nagging at me.
:-) Anyway, I think it helped crystallize something for me -- the
client-side md5 mangling protects against malicious DBAs or database
server admins, while the trusted connection protects against network
snooping. The former is more about keeping the bad guys, who would
have other ways of compromising the database, from gleaning
information about your password choices that they may be able to apply
to other resources. The latter protects the database itself.
Did I miss any other forms of attack either addresses?
-Kevin