On 8 July 2010 11:46, Andre Majorel <[email protected]> wrote: > The doc says « if you are at all concerned about password > "sniffing" attacks then md5 is preferred. » but does not say why. > It would seem that an MD5 hash can be sniffed and replayed just as > well as a clear-text password. > > Maybe the doc needs to explain why "md5" is more secure than > "password". Or, if it isn't, say so. >
I believe the client hashes the password using MD5 and a salt, the latter part being a random one sent to the client by the server, so sniffing the password would be useless as you would have to have sniffed the salt (strange phrase but there you go), have sniffed the password, *and* be asked for exactly the same salt by the server again. I'm sure that's mentioned in the docs somewhere, although not on the normal authentication page. Thom -- Sent via pgsql-docs mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-docs
