Re: Salt in encrypted password in pg_shadow

From: Richard Huxton <dev(at)archonet(dot)com>
To: David Garamond <lists(at)zara(dot)6(dot)isreserved(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-general(at)postgresql(dot)org
Subject: Re: Salt in encrypted password in pg_shadow
Date: 2004-09-07 17:22:18
Message-ID: 413DEE4A.6030608@archonet.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

David Garamond wrote:
> Consider someone who creates a long list of:
>
> MD5( "postgres" + "aaaaaaaa" )
> MD5( "postgres" + "aaaaaaab" )
> MD5( "postgres" + "aaaaaaac" )
> ...
>
> Now if he has access to other people's pg_shadow, he can compare the
> hashes with his dictionary. Replacing "postgres" with a random salt
> defeats this dictionary attack (and thus he will have to resort to brute
> force).

But surely you have to store the random salt in pg_shadow too? Or am I
missing something?

--
Richard Huxton
Archonet Ltd

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Alex Soto 2004-09-07 17:27:40 Re: supressing NOTICE messages on Windows/cygwin only not working?
Previous Message Gaetano Mendola 2004-09-07 16:54:15 Re: The usual sequential scan, but with LIMIT !