From: | "Gene Sokolov" <hook(at)aktrad(dot)ru> |
---|---|
To: | "Bruce Momjian" <maillist(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | <pgsql-hackers(at)postgreSQL(dot)org> |
Subject: | Re: [HACKERS] Updated TODO list |
Date: | 1999-07-15 07:06:04 |
Message-ID: | 04e501bece90$80e16460$0d8cdac3@aktrad.ru |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
From: Bruce Momjian <maillist(at)candle(dot)pha(dot)pa(dot)us>
> > > Doing the random salt over the wire would still be a problem.
> >
> > There is absolutely no technical problem with storing hashed passwords
and
> > still sending salted hash over the wire. It was recently discussed in
detail
> > in "Hashing passwords" thread in pgsql-hackers list.
>
> But you are hashing it with a secret known by the database adminstrator,
Yes, DB admin can gain useable info.
> and someone knows any password, like their own, can guess the secret by
> looking at the hashed version, no?
No. Not any password, <master value> only. SHA or MD5 hash is one-way. There
are many schemes. What I proposed is just one solution. Others may propose
something better.
Here are my thoughts:
1. Yes, database admin can compromise security of the whole installation, no
matter what security scheme is selected.
2. Even if database admin can compromise security, I would rather opt for a
better security scheme, rather then give up completely.
3. When you enter your password at any login prompt, the password either
appears as *** or does not appear at all. Why do you think it is done this
way? Same applies to select * from pg_shadow.
4. Storing hashes instead of plain text passwords would divert all casual
and "peek over the shoulder" hackers. It's two really different tasks -
memorizing a password or memorizing 24 random-looking bytes of a base64 hash
presentation.
6. People tend to reuse passwords. Getting one password helps to get other
passwords too.
7. I do not understand why it's so important to keep passwords in plain
text. Just a simple hash would help a lot.
Gene Sokolov.
From | Date | Subject | |
---|---|---|---|
Next Message | Gene Sokolov | 1999-07-15 07:16:46 | Re: [HACKERS] Updated TODO list |
Previous Message | Thomas Lockhart | 1999-07-15 06:15:16 | Re: [HACKERS] Interesting behaviour ! |