| From: | marcin mank <marcin(dot)mank(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Marko Kreen <markokr(at)gmail(dot)com>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Andrew Dunstan <andrew(at)dunslane(dot)net>, mlortiz <mlortiz(at)uci(dot)cu>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-09-28 21:49:06 |
| Message-ID: | b1b9fac60909281449l2d0cb757y5f097010bb1dba54@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> The case that ENCRYPTED
> protects against is database superusers finding out other users'
> original passwords, which is a security issue to the extent that those
> users have used the same/similar passwords for other systems.
I just want to note that md5 is not much of a protection against this
case these days. Take a look at this:
http://www.golubev.com/hashgpu.htm
It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
of up to 8 chars in length.
Maybe it is time to look at something like bcrypt.
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
Greetings
Marcin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bernd Helmle | 2009-09-28 22:33:03 | Re: TODO item: Allow more complex user/database default GUC settings |
| Previous Message | Euler Taveira de Oliveira | 2009-09-28 21:26:47 | Buffer usage in EXPLAIN and pg_stat_statements (review) |