Bugtraq mailing list archives
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted
From: Michael Samuel <michael () miknet net>
Date: Fri, 22 Apr 2005 13:33:44 +1000
On Thu, 21 Apr 2005 11:32 pm, Rod Taylor wrote:
On Thu, 2005-04-21 at 11:06 +0200, Tino Wildenhain wrote: One advantage of a random salt would be that the username can be changed without having to reset the password at the same time.
And the main advantage is that if you have an account with the same username on another database server, it makes attacks twice as hard. (Assuming those two database servers, or their backups are compromised) Note that salts aren't supposed to be secret (well, no more so than the password hash), they just need to be unique. Of course, if you're going to add a salt (which requires changing the protocol and the storage format), you may aswell move away from md5 (which has been considered deprecated for quite some time... longer than it's been used in PostgreSQL), and move towards something more secure, such as blowfish crypt (or an AES adaptation of it?).
Current thread:
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, (continued)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Antoine Martin (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Stephen Frost (Apr 23)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Antoine Martin (Apr 23)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Joshua D. Drake (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Lance James (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tino Wildenhain (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Rod Taylor (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Tino Wildenhain (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Michael Samuel (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim Knoble (Apr 21)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim Knoble (Apr 22)