Bugtraq mailing list archives
RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
From: "Mike Fratto" <mfratto () nwc com>
Date: Thu, 21 Apr 2005 17:57:21 -0400
That's the whole point of the discussion- the way Postgres's pg_shadow stuff works the salt is known and *because* of that it might as well not exist since it means that you can pre-compute the keyspace.
I see your point. I don't know anything about postgres. I don't use it. But if someone can get to the pg_hba.conf file (I assume (hope) it is read/write by the process owner or root only?) then your screwed anyway. So while there may be better ways to store and use passwords, perhaps in light of the root of the problem (getting to the file) the fore-knowledge of a salt isn't that important. If an admin created a "strong" password (whatever that means), then pre-computation won't help an attacker get it. At worst for the admon, pre-computation will shorten the attackers time to know if the password can be broken or not. At best it might slow them down a bit (but not really). I dunno.
Current thread:
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, (continued)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Lance James (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tino Wildenhain (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Rod Taylor (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Tino Wildenhain (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Michael Samuel (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim Knoble (Apr 21)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim Knoble (Apr 22)