| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: MD5 authentication needs help |
| Date: | 2015-03-04 19:18:17 |
| Message-ID: | 20150304191817.GI29780@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Heikki Linnakangas (hlinnaka(at)iki(dot)fi) wrote:
> I'm not sure how expensive a brute force attack on SRP would be,
> using a stolen backup tape. There doesn't seem to be an iterations
> count similar to SCRAM. But note that SRP's resistance to
> brute-forcing the authentication handshake is of a different kind.
> It's not just expensive, but outright impossible. (Don't ask me how
> that works; I'm not well-versed in the maths involved.) That's a big
> advantage because it means that it's OK to use a fairly weak
> password like 'foobar123' that would be trivially cracked with a
> dictionary attack.
If it's actually impossible then that's certainly interesting.. I don't
get how that's possible, but ok.
> (You can still connect to the server and try
> different passwords, but the server can log that and throttle how
> many guesses / minute it let's you do)
Wouldn't that be nice... Wish we did it. :(
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-03-04 19:21:51 | Re: MD5 authentication needs help |
| Previous Message | Bruce Momjian | 2015-03-04 19:16:25 | Re: MD5 authentication needs help |