| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Jim C(dot) Nasby" <decibel(at)decibel(dot)org> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers(at)postgresql(dot)org, bugtraq(at)securityfocus(dot)com |
| Subject: | Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords |
| Date: | 2005-04-20 22:03:18 |
| Message-ID: | 6070.1114034598@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Jim C. Nasby" <decibel(at)decibel(dot)org> writes:
> Simply put, MD5 is no longer strong enough for protecting secrets. It's
> just too easy to brute-force. SHA1 is ok for now, but it's days are
> numbered as well. I think it would be good to alter SHA1 (or something
> stronger) as an alternative to MD5, and I see no reason not to use a
> random salt instead of username.
Well, I have no particular problem with offering SHA1 as an alternative
hash method for those who find MD5 too weak ... but I still question the
value of putting any random salt in the table. AFAICS you would have to
send that salt as part of the initial password challenge, which means
any potential attacker could find it out even before trying to
compromise pg_shadow; so Stephen's argument that there is a useful
improvement in protection against precomputation of password hashes
still falls down.
BTW, one could also ask exactly what threat model Stephen is concerned
about. ISTM anyone who can obtain the contents of pg_shadow has
*already* broken your database security.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim C. Nasby | 2005-04-20 22:05:56 | Proposal for background vacuum full/cluster |
| Previous Message | Bruce Momjian | 2005-04-20 21:53:53 | Re: Problem with PITR recovery |