Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Jim C(dot) Nasby" <decibel(at)decibel(dot)org>
Cc: Greg Stark <gsstark(at)mit(dot)edu>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date: 2005-04-21 15:15:07
Message-ID: 15611.1114096507@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

"Jim C. Nasby" <decibel(at)decibel(dot)org> writes:
> Something that just occured to me... if you're using a random salt, you
> can change it periodically without any disruption. So in the case of a
> site that's worried about brute-forcing a password or hash you can
> periodically update all the salts with new random values.

Not unless you force the users to change passwords. How are you going
to use MD5(passwd,oldsalt) to derive MD5(passwd,newsalt) when you don't
know passwd?

regards, tom lane

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2005-04-21 15:20:08 Re: [COMMITTERS] pgsql: Install some slightly realistic cost
Previous Message Andrew Dunstan 2005-04-21 15:08:48 Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords