| From: | Peter Bex <Peter(dot)Bex(at)xs4all(dot)nl> |
|---|---|
| To: | PostgreSQL hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: A stab at implementing better password hashing, with mixed results |
| Date: | 2012-12-27 15:39:13 |
| Message-ID: | 20121227153913.GA21622@frohike.homeunix.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Dec 27, 2012 at 12:31:08PM -0300, Claudio Freire wrote:
> On Thu, Dec 27, 2012 at 11:46 AM, Peter Bex <Peter(dot)Bex(at)xs4all(dot)nl> wrote:
> >
> > Implementing a more secure challenge-response based algorithm means
> > a change in the client-server protocol. Perhaps something like SCRAM
> > (maybe through SASL) really is the way forward for this, but that
> > seems like quite a project and it seems to dictate how the passwords are
> > stored; it requires a hash of the PBKDF2 algorithm to be stored.
>
> It would be nonsense to do it in any other way... protecting the
> password store and not the exchange would just shift the weak spot.
Yeah, that's why I was being rather pessimistic about the patch I posted.
However, SCRAM will only protect the password; SSL is still required
to protect against connection hijacking.
Cheers,
Peter
--
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
is especially attractive, not only because it can be economically
and scientifically rewarding, but also because it can be an aesthetic
experience much like composing poetry or music."
-- Donald Knuth
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dimitri Fontaine | 2012-12-27 16:04:42 | Re: Proposal: Store "timestamptz" of database creation on "pg_database" |
| Previous Message | Claudio Freire | 2012-12-27 15:31:08 | Re: A stab at implementing better password hashing, with mixed results |