Hi Tom,
Thanks a lot, that was the kind of clarification I needed.
On Fri, Aug 20, 2004 at 10:32:59AM -0400, Tom Lane wrote:
> Daniel Martini <[EMAIL PROTECTED]> writes:
> > No he can't:
> > Only if he is able to install a program on the webserver to
> > actually login with a hashed password. If
On Fri, Aug 20, 2004 at 09:43:08 +0200,
Daniel Martini <[EMAIL PROTECTED]> wrote:
>
> No he can't:
> Only if he is able to install a program on the webserver to
> actually login with a hashed password. If he wants to log in over the
> cgi, this won't work, because the hashed value he gained by r
Hi,
Citing Tom Lane <[EMAIL PROTECTED]>:
> Daniel Martini <[EMAIL PROTECTED]> writes:
> > Now how would this work, if it would be possible to send hashed passwords
> > from libpq:
> > user sends username/password, this gets hashed by the cgi, then the hashed
> > value is sent by libpq. Session id
Daniel Martini <[EMAIL PROTECTED]> writes:
> Now how would this work, if it would be possible to send hashed passwords
> from libpq:
> user sends username/password, this gets hashed by the cgi, then the hashed
> value is sent by libpq. Session id is generated and
> stored together with the hashed p
Tino Wildenhain <[EMAIL PROTECTED]> writes:
> PS: the hash would suit better when used in a challenge authorization,
> meaning the server sends a random key, let the client
> hash(random_key || md5( cleartext_password || username ) )
> and compare it on server with
> hash(random_
Hi,
Am Do, den 19.08.2004 schrieb Tom Lane um 16:44:
> Oliver Elphick <[EMAIL PROTECTED]> writes:
> > I think the password can't be stored hash-digested because it has to be
> > encrypted with a salt established at runtime. If you could just send
> > the same hash-digested password over and over,
Oliver Elphick <[EMAIL PROTECTED]> writes:
> I think the password can't be stored hash-digested because it has to be
> encrypted with a salt established at runtime. If you could just send
> the same hash-digested password over and over, it would be no more
> secure than a plaintext one.
[ looks a
On Thu, 2004-08-19 at 08:30, Daniel Martini wrote:
> Hello list,
>
> Citing Alvaro Herrera <[EMAIL PROTECTED]>:
> > The problem here is that the password can't be stored one-way-hash
> > digested, because the cleartext version is needed to be sent to the
> > server.
>
> Actually why this is so ha
