Em Monday 03 March 2008 13:17:03 vocĂȘ escreveu: > > My understanding is no password is sent in the clear with md5 per: > > http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW >ORD
But the MD5 hash is. This page states that the password can't be directly sniffed, but one can still get the hash of the password and perform a dictionary attack against it on a local copy (i.e., without ever trying to connect to the server). After a successful attack then one can connect directly to the server as if the password was known to him/her. Crypting the channell -- be it with SSL or SSH, for example -- will prevent the sniffer from being able to capture the hash, so your password will be safer. -- Jorge Godoy <[EMAIL PROTECTED]> ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings
