Skip site navigation (1) Skip section navigation (2)

Re: Rejecting weak passwords

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: marcin mank <marcin(dot)mank(at)gmail(dot)com>
Cc: Marko Kreen <markokr(at)gmail(dot)com>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Andrew Dunstan <andrew(at)dunslane(dot)net>, mlortiz <mlortiz(at)uci(dot)cu>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Rejecting weak passwords
Date: 2009-09-28 23:26:52
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
marcin mank <marcin(dot)mank(at)gmail(dot)com> writes:
>> The case that ENCRYPTED
>> protects against is database superusers finding out other users'
>> original passwords, which is a security issue to the extent that those
>> users have used the same/similar passwords for other systems.

> I just want to note that md5 is not much of a protection against this
> case these days. Take a look at this:

> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> of up to 8 chars in length.

Yeah, but that will find you a password that hashes to the same thing.
Not necessarily the same password.  It'll get you into the Postgres
DB just fine, which you don't care about because you're already a
superuser there.  It won't necessarily get you into the assumed
third-party systems.

			regards, tom lane

In response to

pgsql-hackers by date

Next:From: Itagaki TakahiroDate: 2009-09-29 01:11:19
Subject: Re: Buffer usage in EXPLAIN and pg_stat_statements (review)
Previous:From: Cathy MullicanDate: 2009-09-28 23:25:26
Subject: Re: [PATCH] DefaultACLs

Privacy Policy | About PostgreSQL
Copyright © 1996-2018 The PostgreSQL Global Development Group