Bugtraq mailing list archives

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted

From: Tino Wildenhain <tino () wildenhain de>
Date: Thu, 21 Apr 2005 15:47:33 +0200

Am Donnerstag, den 21.04.2005, 09:32 -0400 schrieb Rod Taylor:

On Thu, 2005-04-21 at 11:06 +0200, Tino Wildenhain wrote:

Am Mittwoch, den 20.04.2005, 16:23 -0500 schrieb Jim C. Nasby:

On Wed, Apr 20, 2005 at 05:03:18PM -0400, Tom Lane wrote:

...

Simply put, MD5 is no longer strong enough for protecting secrets. It's
just too easy to brute-force. SHA1 is ok for now, but it's days are
numbered as well. I think it would be good to alter SHA1 (or something
stronger) as an alternative to MD5, and I see no reason not to use a
random salt instead of username.


I wonder where you want to store that random salt and how this would add
to the security.


One advantage of a random salt would be that the username can be changed
without having to reset the password at the same time.


Still this does not answer the question where that salt is to be
stored :)

(instead of username one could use somefacyhash(userid) to be 
independend from username - otoh, if you change usernames 
you usually face some other serious problems like object
ownership and friends)
-- 
Tino Wildenhain <tino () wildenhain de>

Current thread:

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, (continued)
- - - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruno Wolff III (Apr 22)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Antoine Martin (Apr 22)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Stephen Frost (Apr 23)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Antoine Martin (Apr 23)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Joshua D. Drake (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Lance James (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tino Wildenhain (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Rod Taylor (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Tino Wildenhain (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Michael Samuel (Apr 22)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim Knoble (Apr 21)
    - RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
    - RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 22)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
    - RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 22)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim Knoble (Apr 22)
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Josh Berkus (Apr 21)