MD5 authentication needs help

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org>
Subject: MD5 authentication needs help
Date: 2015-03-04 02:01:46
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

It feels like MD5 has accumulated enough problems that we need to start
looking for another way to store and pass passwords. The MD5 problems

1) MD5 makes users feel uneasy (though our usage is mostly safe)

2) The per-session salt sent to the client is only 32-bits, meaning
that it is possible to reply an observed MD5 hash in ~16k connection

3) Using the user name for the MD5 storage salt allows the MD5 stored
hash to be used on a different cluster if the user used the same

4) Using the user name for the MD5 storage salt causes the renaming of
a user to break the stored password.

For these reasons, it is probably time to start thinking about a
replacement that fixes these issues. We would keep MD5 but recommend
a better option.

Bruce Momjian <bruce(at)momjian(dot)us>

+ Everyone has their own god. +


Browse pgsql-hackers by date

  From Date Subject
Next Message Kyotaro HORIGUCHI 2015-03-04 02:04:57 Re: How about to have relnamespace and relrole?
Previous Message Josh Berkus 2015-03-04 01:36:34 Re: Providing catalog view to pg_hba.conf file - Patch submission