| From: | "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no> |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | Vince Vielhaber <vev(at)michvhf(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, The Hermit Hacker <scrappy(at)hub(dot)org>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Date: | 2000-05-06 16:45:26 |
| Message-ID: | 20000506184526.B22812@online.no |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
[Bruce Momjian]
| store the password in pg_shadow like a unix-style password with salt
| pass the random salt and the salt from pg_shadow to the client
| client crypts the password twice through the routine:
| once using the pg_shadow salt
| another time using the random salt
That's close to what I thought of a couple of days ago too, except I
would have used MD5, since I already have that implemented. :) (It
seems you already have crypt, so you wouldn't need MD5.)
Does anyone here really _know_ (and I mean KNOW)
security/cryptography? If so, could you please comment on this
scheme? And while you're at it, whats better of MD5 and Unix crypt
(triple DES ++, isn't it?) from a security perspective?
Sverre.
--
<URL:mailto:sverrehu(at)online(dot)no>
<URL:http://home.sol.no/~sverrehu/> Echelon bait: semtex, bin Laden,
plutonium, North Korea, nuclear bomb
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vince Vielhaber | 2000-05-06 16:56:57 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Previous Message | Bruce Momjian | 2000-05-06 16:33:29 | Re: What do you think? |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vince Vielhaber | 2000-05-06 16:56:57 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Previous Message | Bruce Momjian | 2000-05-06 16:28:53 | Re: You're on SecurityFocus.com for the cleartext passwords. |