* David F. Skoll (dfs (at) roaringpenguin (dot) com [email concealed]) wrote:
> Stephen Frost wrote:
> > The md5 hash which is generated for and stored in pg_shadow does not
> > use a random salt but instead uses the username which can generally be
> > determined ahead of time (especially for the 'postgres' superuser
> > account).
>
> I noted that this was a problem back in August, 2002:
>
> http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php
>
> Then, as now, the developers weren't very concerned.
I have some hopes that pointing out the rather large problem with the
md5 authentication mechanism in pg_hba.conf will lead them to discourage
it's use and thus reduce the occourances of the salt being made
available to the user giving more weight to the usefullness of having it
be a random salt. Additionally, it's been a few years, perhaps
viewpoints have changed.
> Stephen Frost wrote:
> > The md5 hash which is generated for and stored in pg_shadow does not
> > use a random salt but instead uses the username which can generally be
> > determined ahead of time (especially for the 'postgres' superuser
> > account).
>
> I noted that this was a problem back in August, 2002:
>
> http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php
>
> Then, as now, the developers weren't very concerned.
I have some hopes that pointing out the rather large problem with the
md5 authentication mechanism in pg_hba.conf will lead them to discourage
it's use and thus reduce the occourances of the salt being made
available to the user giving more weight to the usefullness of having it
be a random salt. Additionally, it's been a few years, perhaps
viewpoints have changed.
Stephen
[ reply ]