| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Jim C(dot) Nasby" <decibel(at)decibel(dot)org> |
| Cc: | Paul Tillotson <pntil(at)shentel(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords |
| Date: | 2005-04-21 04:54:38 |
| Message-ID: | 11372.1114059278@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Jim C. Nasby" <decibel(at)decibel(dot)org> writes:
> I would think it wouldn't be hard to change the protocol/code so that
> the response from providing an invalid user is the same as providing a
> valid one.
How would you do that? The response for a valid user will (a) include
the same salt on repeated trials (so no generating a random one); (b)
usually be different from the salt given for other usernames (so no
using the same one every time, either) and (c) probably be provided in a
measurably different time from the time taken by any algorithm that
manages to work around (a) and (b).
You could maybe work around (c) by delaying *all* password challenges to
take, say, 100 msec ... but that's hardly what I call a cost-free
solution either.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-04-21 05:06:13 | Re: Proposal for background vacuum full/cluster |
| Previous Message | Jim C. Nasby | 2005-04-21 04:49:47 | Re: Proposal for background vacuum full/cluster |