| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | marcin mank <marcin(dot)mank(at)gmail(dot)com> |
| Cc: | Marko Kreen <markokr(at)gmail(dot)com>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Andrew Dunstan <andrew(at)dunslane(dot)net>, mlortiz <mlortiz(at)uci(dot)cu>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-09-28 23:26:52 |
| Message-ID: | 16091.1254180412@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
marcin mank <marcin(dot)mank(at)gmail(dot)com> writes:
>> The case that ENCRYPTED
>> protects against is database superusers finding out other users'
>> original passwords, which is a security issue to the extent that those
>> users have used the same/similar passwords for other systems.
> I just want to note that md5 is not much of a protection against this
> case these days. Take a look at this:
> http://www.golubev.com/hashgpu.htm
> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> of up to 8 chars in length.
Yeah, but that will find you a password that hashes to the same thing.
Not necessarily the same password. It'll get you into the Postgres
DB just fine, which you don't care about because you're already a
superuser there. It won't necessarily get you into the assumed
third-party systems.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Itagaki Takahiro | 2009-09-29 01:11:19 | Re: Buffer usage in EXPLAIN and pg_stat_statements (review) |
| Previous Message | Cathy Mullican | 2009-09-28 23:25:26 | Re: [PATCH] DefaultACLs |