| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
| Cc: | "Bossart, Nathan *EXTERN*" <bossartn(at)amazon(dot)com>, Euler Taveira <euler(at)timbira(dot)com(dot)br>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Enhancements to passwordcheck |
| Date: | 2017-09-27 10:48:14 |
| Message-ID: | CAB7nPqRY8R=aJVtGYsw1mtKByiFko7qr0DtPDwyodCq1X4LmSQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Sep 27, 2017 at 6:05 PM, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at> wrote:
> I had the impression that the reasons why database passwords are
> not the best option for high security were:
> 1) The password hash is stored in the database and can be stolen and
> cracked (don't know if dictionary attacks are harder with SCRAM).
> 2) The password or the password hash are transmitted to the server
> when you change the password and may be captured.
Having a MD5 hash is enough to connect to the database. No need to crack it.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marko Tiikkaja | 2017-09-27 10:52:33 | 200 = 199 + 1? |
| Previous Message | Taiki Kondo | 2017-09-27 10:41:26 | Float value 'Infinity' is cast to numeric 1 on Windows |