From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Hannu Krosing <hannu(at)tm(dot)ee> |
Cc: | Vince Vielhaber <vev(at)michvhf(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: So we're in agreement.... |
Date: | 2000-05-07 13:08:45 |
Message-ID: | 200005071308.JAA19116@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
> > Yes, MD5, double-crypt with pg_shadow salt and random salt. Sounds like
> > a winner all around.
>
> why pg_shadow salt ? for md5 we will need to store it separately anyway.
> why not MD5(<server-supplied-random-salt> || MD5(<username> ||
> <password>))
> that way we would overcome the original need for salt (accidental
> discovery
> of similar passwords) and would have no need for storing the salt.
>
> actually we would probably need some kind of separator as well to avoid
> the scenario of <user>+<password> and <userpa>+<ssword> being the same
> and thus having the same md5 hash. so the escheme could be
>
> MD5(<server-supplied-random-salt> || '\n' || MD5(<username> || '\n' ||
> <password>))
>
> AFAIK there is no easy way to have a newline inside password.
Well, unix passwords don't use the username as salt, so why should we?
--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Robert B. Easter | 2000-05-07 14:37:28 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Sverre H. Huseby | 2000-05-07 12:39:32 | Re: So we're in agreement.... |
From | Date | Subject | |
---|---|---|---|
Next Message | Robert B. Easter | 2000-05-07 14:37:28 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Sverre H. Huseby | 2000-05-07 12:39:32 | Re: So we're in agreement.... |