Skip site navigation (1) Skip section navigation (2)

Re: OT: password encryption (salt theory)

From: "David F(dot) Skoll" <dfs(at)roaringpenguin(dot)com>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: OT: password encryption (salt theory)
Date: 2002-08-22 02:25:52
Message-ID: Pine.LNX.4.44.0208212223230.31774-100000@shishi.roaringpenguin.com (view raw or flat)
Thread:
Lists: pgsql-admin
On Wed, 21 Aug 2002, Bruce Momjian wrote:

> As long as the salt is visible to the user just like the MD5 version of
> the password, we don't see any advantage to a random salt.

The only advantage is that there are likely to be more possibilities for
random salts than for user names.  Again, if you're mounting an offline
dictionary attack, you could probably come up with user names likely
to appear (postgres?  httpd?  apache?) which would expand your dictionary
only by a factor of 5-10.  Random salts would totally thwart this approach.
Plus, they can mask the fact that two users with the same name but in
different PostgreSQL installations have the same password.

--
David.


In response to

pgsql-admin by date

Next:From: Bruce MomjianDate: 2002-08-22 02:38:03
Subject: Re: DB Access Restrictions
Previous:From: Bruce MomjianDate: 2002-08-22 02:21:44
Subject: Re: OT: password encryption (salt theory)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group