From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org> |
Subject: | Re: MD5 authentication needs help |
Date: | 2015-03-07 20:32:40 |
Message-ID: | 20150307203240.GO12967@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, Mar 7, 2015 at 03:15:46PM -0500, Bruce Momjian wrote:
> > Gave me 9.15s, or ~0.00915s per connection on a single thread. That
> > times 16k is 146s or about two and a half minutes. Of course, I'm
> > comparing this against what we currently do since, well, that's what we
> > currently do. Changing it to 4b would certainly improve that. Of
> > course, using multiple threads, having multiple challenge/responses on
> > hand (due to listening for a while) or simply breaking the MD5 hash
> > (which we know isn't a terribly great hashing algorithm these days)
> > would change that.
>
> Uh, my calculations show that as 434 days of trying. (Not sure why you
> didn't bother doing that calculation.) I think anyone who is worried
> about that level of attack would already be using MD5. Again, MD5 is
> mostly used in low-security settings where you just don't want the
> password sent over the wire in cleartext. Frankly, without TLS, you are
> already sending your queries and data across in clear-text, and there
> are other attack vectors.
Actually, with a counter, the bad guy just has to wait for the counter
to roll around, and then try to catch the counter on the values he has
recorded, meaning you wouldn't even be able to detect the hack attempts.
:-)
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2015-03-07 20:40:22 | Re: MD5 authentication needs help |
Previous Message | Stephen Frost | 2015-03-07 20:32:22 | Re: MD5 authentication needs help |