Re: PostgreSQL cleartext passwords

From: Lincoln Yeoh <lylyeoh(at)mecomb(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Jim Mercer <jim(at)reptiles(dot)org>, David Duddleston <david(at)i2a(dot)com>, pgsql-general(at)hub(dot)org
Subject: Re: PostgreSQL cleartext passwords
Date: 2000-05-24 02:07:08
Message-ID: 3.0.5.32.20000524100708.008a36e0@pop.mecomb.po.my
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

At 09:59 PM 18-05-2000 -0400, Tom Lane wrote:
>Lincoln Yeoh <lylyeoh(at)mecomb(dot)com> writes:
>> At 05:38 PM 18-05-2000 -0400, Tom Lane wrote:
>
>> But if someone sniffs the crypted form, won't they be able to reuse it?
>
>Not unless they're lucky enough to be challenged with the same random
>"salt" value that was used in the login transaction they sniffed.

Well then it's a max of 4096 tries? Assuming a normal crypt size salt.

Of course a dictionary crack might be easy enough and definitely less
obstrusive than <salt-permutation> tries.

Does 7.0 log authentication failures on a different level?

Cheerio,

Link.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Lamar Owen 2000-05-24 02:27:54 Re: initdb and "exit_nicely"...
Previous Message Lincoln Yeoh 2000-05-24 01:39:40 Re: initdb and "exit_nicely"...