| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Steve Atkins <steve(at)blighty(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Salt in encrypted password in pg_shadow |
| Date: | 2004-09-08 04:33:39 |
| Message-ID: | 15601.1094618019@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Steve Atkins <steve(at)blighty(dot)com> writes:
> If we need to tweak the authentication protocol _anyway_ at some
> point it'd be great to improve things. But until then... not worth
> the pain.
I've been hearing rumblings that MD5 and all other known crypto
protocols are known vulnerable since the latest crypto symposiums.
(Not that we didn't all suspect the NSA et al could break 'em, but
now they've told us exactly how they do it.)
So as soon as someone wheels up a new crypto hash method that looks
trustworthy, we can invent a new auth protocol and maybe throw in
another level of random salting while we're at it. But right now
I doubt it's worth the effort :-(
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Randy Yates | 2004-09-08 04:39:53 | Another Security Question: User-based Roles vs. Application Business Rules |
| Previous Message | Tom Lane | 2004-09-08 04:20:39 | Re: Salt in encrypted password in pg_shadow |