From: | "David F(dot) Skoll" <dfs(at)roaringpenguin(dot)com> |
---|---|
To: | Tim Ellis <Tim(dot)Ellis(at)gamet(dot)com> |
Cc: | Stefan Fiel <fstefan(at)cable(dot)vol(dot)at>, <pgsql-admin(at)postgresql(dot)org> |
Subject: | Re: password encryption |
Date: | 2002-08-22 01:40:26 |
Message-ID: | Pine.LNX.4.44.0208212137490.22466-100000@shishi.roaringpenguin.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Wed, 21 Aug 2002, Tim Ellis wrote:
> I always run my passwords through md5sum(), which is an open source
> implementation, and thus seems to've been written in every language out
> there.
But a straight md5sum leaves you open to a dictionary attack. You want
to add some salt by doing something like this:
salt = random_4_char_string;
encrypted_password = salt + md5sum(salt + cleartext_password);
To verify, just extract the salt from the encrypted password and redo the
calculation.
A dictionary attack is now much less feasible because the same cleartext
password can encrypt to millions of different ciphertext passwords.
--
David.
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2002-08-22 02:05:49 | Re: DB Access Restrictions |
Previous Message | Klaus Sonnenleiter | 2002-08-22 00:55:19 | Re: password encryption |