Re: Encoding passwords

On Thu, Sep 27, 2001 at 02:58:37PM -0400, Bruce Momjian wrote:
> > I personally use encoded password= hash( concat(salt,password)), and store
> > both the salt and the encoded password. Where hash = sha1 or md5.
> >
> > The DB columns are: salt, encoded password, encoding method.

> We have new code in 7.2 that will do MD5 encryption of passwords stored
> in pg_shadow. We add the salt to the front of the password before
> passing through MD5. You are suggesting putting the salt at the end.
>
> I guess the issue is that if you can get the salt part found out, you
> can use that to attack the password part. Also, consider that we use
> the username as the salt as stored in pg_shadow. We can easily put the
> salt in the back, but then there is the risk that a long password would
> not take into account the salt. My feeling that this is more a
> theoretical concern and we may be opening ourselves up to more problems
> if we make the change.
>
> Other ideas?

It does not matter. As you are using only one round of MD5/SHA1
which are quite fast, on very short data, it is very easy to
brute-force it anyway, salt or no salt. Only good solution for
storing short data hashed is to use very slow algorithm, like
crypt-md5 and crypt-blowfish are doing. On crypt-blowfish
you can even 'tune' the slowness by giving number of rounds
to run.

Another idea is stop storing hashes altogether and use protocol
like SRP which stores on server side on 'verificators'. I am
interested hacking PostgreSQL to use SRP, but have not had time
for it yet.

--
marko