SecurityFocus

Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 04:50PM
Stephen Frost (sfrost snowman net) (2 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 09:03PM
Tom Lane (tgl sss pgh pa us) (1 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 09:23PM
Jim C. Nasby (decibel decibel org) (4 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 04:50PM
Joshua D. Drake (jd commandprompt com) (2 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 07:48PM
Lance James (lancej securescience net)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 06:05PM
Stephen Frost (sfrost snowman net)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encryptedpasswords Apr 21 2005 09:06AM
Tino Wildenhain (tino wildenhain de) (1 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 21 2005 01:32PM
Rod Taylor (pg rbt ca) (2 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 22 2005 03:33AM
Michael Samuel (michael miknet net)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 21 2005 01:47PM
Tino Wildenhain (tino wildenhain de)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 02:58AM
Jim Knoble (jmknoble pobox com) (1 replies)

RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 07:25PM
Mike Fratto (mfratto nwc com) (2 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 09:14PM
Jim Knoble (jmknoble pobox com)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 08:50PM
Stephen Frost (sfrost snowman net) (1 replies)

RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 09:14PM
Mike Fratto (mfratto nwc com) (1 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 09:33PM
Stephen Frost (sfrost snowman net) (1 replies)

RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 09:57PM
Mike Fratto (mfratto nwc com)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 10:03PM
Tom Lane (tgl sss pgh pa us) (3 replies)

"Jim C. Nasby" <decibel (at) decibel (dot) org [email concealed]> writes:
> Simply put, MD5 is no longer strong enough for protecting secrets. It's
> just too easy to brute-force. SHA1 is ok for now, but it's days are
> numbered as well. I think it would be good to alter SHA1 (or something
> stronger) as an alternative to MD5, and I see no reason not to use a
> random salt instead of username.

Well, I have no particular problem with offering SHA1 as an alternative
hash method for those who find MD5 too weak ... but I still question the
value of putting any random salt in the table. AFAICS you would have to
send that salt as part of the initial password challenge, which means
any potential attacker could find it out even before trying to
compromise pg_shadow; so Stephen's argument that there is a useful
improvement in protection against precomputation of password hashes
still falls down.

BTW, one could also ask exactly what threat model Stephen is concerned
about. ISTM anyone who can obtain the contents of pg_shadow has
*already* broken your database security.

regards, tom lane

[ reply ]

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 02:27AM
Stephen Frost (sfrost snowman net) (1 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 10:27PM
Bruno Wolff III (bruno wolff to) (2 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encryptedpasswords Apr 22 2005 08:02PM
Antoine Martin (antoine nagafix co uk) (1 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 23 2005 01:02PM
Stephen Frost (sfrost snowman net) (1 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Apr 23 2005 02:53PM
Antoine Martin (antoine nagafix co uk)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 22 2005 12:05AM
Stephen Frost (sfrost snowman net)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 10:10PM
Bruce Momjian (pgman candle pha pa us) (1 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 10:17PM
Tom Lane (tgl sss pgh pa us) (1 replies)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 21 2005 12:26AM
David F. Skoll (dfs roaringpenguin com)

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 10:08PM
Jim C. Nasby (decibel decibel org)

Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 07:36PM
David F. Skoll (dfs roaringpenguin com) (1 replies)

Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Apr 20 2005 07:44PM
Stephen Frost (sfrost snowman net)