| From: | "David F(dot) Skoll" <dfs(at)roaringpenguin(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords |
| Date: | 2005-04-20 22:38:48 |
| Message-ID: | 4266D9F8.6020405@roaringpenguin.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Bruce Momjian wrote:
>>BTW, one could also ask exactly what threat model Stephen is concerned
>>about. ISTM anyone who can obtain the contents of pg_shadow has
>>*already* broken your database security.
> That's what I told him. I think his concern about pre-computed hashes
> is the only real issue, and give 'postgres' is usually the super-user, I
> can see someone pre-computing md5 postgres hashes and doing quick
> comparisons, perhaps as a root kit so you don't have to do the hashing
> yourself. I personally don't find that very compelling either.
The issue is that you should try your best to prevent dictionary attacks,
because often people use the same passwords for different things.
I know they shouldn't, but sometimes they do, so any measures you can
take to make a dictionary attack harder are worth doing, especially
when the random salt is so simple to implement.
--
David.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2005-04-20 22:57:53 | Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords |
| Previous Message | Bruce Momjian | 2005-04-20 22:19:50 | Re: Problem with PITR recovery |