| From: | "David F(dot) Skoll" <dfs(at)roaringpenguin(dot)com> |
|---|---|
| To: | Tim Ellis <Tim(dot)Ellis(at)gamet(dot)com> |
| Cc: | Stefan Fiel <fstefan(at)cable(dot)vol(dot)at>, <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: password encryption |
| Date: | 2002-08-22 01:40:26 |
| Message-ID: | Pine.LNX.4.44.0208212137490.22466-100000@shishi.roaringpenguin.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Wed, 21 Aug 2002, Tim Ellis wrote:
> I always run my passwords through md5sum(), which is an open source
> implementation, and thus seems to've been written in every language out
> there.
But a straight md5sum leaves you open to a dictionary attack. You want
to add some salt by doing something like this:
salt = random_4_char_string;
encrypted_password = salt + md5sum(salt + cleartext_password);
To verify, just extract the salt from the encrypted password and redo the
calculation.
A dictionary attack is now much less feasible because the same cleartext
password can encrypt to millions of different ciphertext passwords.
--
David.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-08-22 02:05:49 | Re: DB Access Restrictions |
| Previous Message | Klaus Sonnenleiter | 2002-08-22 00:55:19 | Re: password encryption |