| From: | David Garamond <lists(at)zara(dot)6(dot)isreserved(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Richard Huxton <dev(at)archonet(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Salt in encrypted password in pg_shadow |
| Date: | 2004-09-08 02:11:33 |
| Message-ID: | 413E6A55.7060704@zara.6.isreserved.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Lane wrote:
>>Many people use short and easy-to-guess passwords (remember we're not
>>talking about the superuser only here), so the dictionary attack can be
>>more effective than people think.
>
> And that responds to the speed argument how? I quite agree that a
> guessable password is risky, but putting in a random salt offers no
> real advantage if the salt has to be stored in the same place as the
> encrypted password.
Hm, I thought the purpose of salt is generally well understood? A
well-known string such as "postgres" is *not* a good salt at all.
Here's a couple of pages that hopefully can explain better:
http://en.wikipedia.org/wiki/Dictionary_attack
http://en.wikipedia.org/wiki/Salt_(cryptography)
--
dave
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-09-08 02:27:40 | Re: Salt in encrypted password in pg_shadow |
| Previous Message | David Garamond | 2004-09-08 02:02:58 | Re: Restoring dump of multiuser databases |