| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my> |
| Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Mike Arace <mikearace(at)hotmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Encoding passwords |
| Date: | 2001-09-29 14:48:30 |
| Message-ID: | 23194.1001774910@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my> writes:
> I think it needs further confirmation, because what I said was from memory
> - I still can't find the source- so take what I said with a pinch of erm
> MSG. I'd personally go with the XOR rather than concat.
Why? AFAIK, appending a salt is a well-understood process with MD5.
I see no reason to think that XORing would be better, and it might be
worse.
> And I'd use a random salt rather than a predictable salt.
We do, at least for passwords flowing across the net. There's no
randomness in the salt for a password stored in pg_shadow, but the only
way to have randomness there would be to add a separate column showing
what the random salt was --- so an attacker with access to pg_shadow
would know what the salt was, anyway.
> But I emphasize again that I believe this is actually a small issue,
Indeed, but I'd rather get it right now than realize we made a small
error after it's too late to change.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tod McQuillin | 2001-09-29 15:26:07 | Re: Recreating unique index for primary key |
| Previous Message | Tom Lane | 2001-09-29 14:41:44 | Re: Recreating unique index for primary key |