BugTraq
Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 04:50PM
Stephen Frost (sfrost snowman net) (2 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 09:03PM
Tom Lane (tgl sss pgh pa us) (1 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 09:23PM
Jim C. Nasby (decibel decibel org) (4 replies)
On Wed, Apr 20, 2005 at 05:03:18PM -0400, Tom Lane wrote:
> > This would allow for the pregeneration of the entire md5
> > keyspace using that 'salt' and then quick breakage of the hash once
> > it's retrieved by the attacker.
>
> Considering the size of the possible keyspace, this is pretty silly.

Actually, it's not as silly as you think. You can download rainbow
tables for Windows/LanMan passwords up to 14 or 15 characters in length.
Given the password hash and some code, you can determine the user's
password in a matter of minutes.

Simply put, MD5 is no longer strong enough for protecting secrets. It's
just too easy to brute-force. SHA1 is ok for now, but it's days are
numbered as well. I think it would be good to alter SHA1 (or something
stronger) as an alternative to MD5, and I see no reason not to use a
random salt instead of username.
--
Jim C. Nasby, Database Consultant decibel (at) decibel (dot) org [email concealed]
Give your computer some brain candy! www.distributed.net Team #1828

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"

[ reply ]
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 04:50PM
Joshua D. Drake (jd commandprompt com) (2 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 07:48PM
Lance James (lancej securescience net)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 06:05PM
Stephen Frost (sfrost snowman net)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encryptedpasswords Apr 21 2005 09:06AM
Tino Wildenhain (tino wildenhain de) (1 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 21 2005 01:32PM
Rod Taylor (pg rbt ca) (2 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 22 2005 03:33AM
Michael Samuel (michael miknet net)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 21 2005 01:47PM
Tino Wildenhain (tino wildenhain de)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 02:58AM
Jim Knoble (jmknoble pobox com) (1 replies)
RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 07:25PM
Mike Fratto (mfratto nwc com) (2 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 09:14PM
Jim Knoble (jmknoble pobox com)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 08:50PM
Stephen Frost (sfrost snowman net) (1 replies)
RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 09:14PM
Mike Fratto (mfratto nwc com) (1 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 09:33PM
Stephen Frost (sfrost snowman net) (1 replies)
RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 09:57PM
Mike Fratto (mfratto nwc com)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 10:03PM
Tom Lane (tgl sss pgh pa us) (3 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 02:27AM
Stephen Frost (sfrost snowman net) (1 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 10:27PM
Bruno Wolff III (bruno wolff to) (2 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encryptedpasswords Apr 22 2005 08:02PM
Antoine Martin (antoine nagafix co uk) (1 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 23 2005 01:02PM
Stephen Frost (sfrost snowman net) (1 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 23 2005 02:53PM
Antoine Martin (antoine nagafix co uk)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 22 2005 12:05AM
Stephen Frost (sfrost snowman net)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 10:10PM
Bruce Momjian (pgman candle pha pa us) (1 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 10:17PM
Tom Lane (tgl sss pgh pa us) (1 replies)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 12:26AM
David F. Skoll (dfs roaringpenguin com)
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 10:08PM
Jim C. Nasby (decibel decibel org)
Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 07:36PM
David F. Skoll (dfs roaringpenguin com) (1 replies)
Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 07:44PM
Stephen Frost (sfrost snowman net)


 

Privacy Statement
Copyright 2010, SecurityFocus