| From: | Bill Moran <wmoran(at)potentialtech(dot)com> |
|---|---|
| To: | "Vlad K(dot)" <vlad(at)haronmedia(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: sefety of passwords for web-service applications |
| Date: | 2012-11-24 12:24:19 |
| Message-ID: | 20121124072419.8445f5af2cc921c0b9e54373@potentialtech.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sat, 24 Nov 2012 11:05:38 +0100 "Vlad K." <vlad(at)haronmedia(dot)com> wrote:
>
> On 11/24/2012 10:15 AM, Rafal Pietrak wrote:
> > Some improvement in passwords safety could be gained, if the database
> > table access methods (e.g. SELECT...) provided means to limit that
> > access to just one entry at a time, and return results only when
> > (password) column hash was equal for a single entry. e.g. information is
> > not leaking when password dont' match.
>
> But what about situations where the attackers gained access to the
> database itself or faulty discs that got replaced? Isn't just having a
> strong hash a better solution? And by strong I mean a bcrypt based or
> similar approach that requires significant time to calculate a single hash.
The best defense from this kind of attack is PKI. The client generates a
key pair and installs the public key in the application database, keeping
the private key to use for auth.
Of course, this requires a level of technical knowledge beyond what most
users posses, which is a damn shame.
--
Bill Moran <wmoran(at)potentialtech(dot)com>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Travers | 2012-11-24 13:15:17 | Re: Partial authentication (was Re: sefety of passwords for web-service applications) |
| Previous Message | Pavel Stehule | 2012-11-24 11:40:15 | Re: alter sequence |