Quick Links

Re: md5 again

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Vince Vielhaber <vev(at)michvhf(dot)com>
Cc:	Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject:	Re: md5 again
Date:	2000-07-11 17:07:59
Message-ID:	1449.963335279@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Vince Vielhaber <vev(at)michvhf(dot)com> writes:
> Simple dictionary passwords. Run them thru a script and compare the
> output.

I was under the impression we'd prevented that by use of a random salt
chosen on-the-fly for each login attempt ... have to go reread the
thread to be sure though.

In any case, if your threat model is a dictionary attack, what's to
stop the attacker from using a dictionary of likely usernames as well?
I still don't see much security gain from hashing the username.

regards, tom lane

In response to

Re: md5 again at 2000-07-11 16:56:29 from Vince Vielhaber

Responses

Re: md5 again at 2000-07-11 17:23:51 from Vince Vielhaber

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Vince Vielhaber	2000-07-11 17:23:51	Re: md5 again
Previous Message	Bruce Momjian	2000-07-11 17:07:21	Re: md5 again