Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

From Tom Lane
Subject Re: Salt in encrypted password in pg_shadow
Date
Msg-id 14516.1094610460@sss.pgh.pa.us
Whole thread Raw
In response to Re: Salt in encrypted password in pg_shadow  (Steve Atkins <steve@blighty.com>)
Responses Re: Salt in encrypted password in pg_shadow
List pgsql-general
Steve Atkins <steve@blighty.com> writes:
> A random salt stored with the hashed password increases the storage
> and precomputation time required by the size of the salt (so a 16 bit
> salt would increase the storage and precomputation time needed by
> a factor of 65536). That increase makes the pre-computed dictionary
> attack pretty much infeasible.

[ raised eyebrow... ]  It is not immediately obvious that a factor of
2^16 makes the difference between feasible and infeasible.  As
counterexamples, if it would otherwise take you one microsecond to break
the password, 64 milliseconds isn't going to scare you; if it would
otherwise take you a century to break the password, raising it to
64k centuries isn't going to make for a very meaningful improvement in
security either.

Show me a scheme where the random salt isn't stored right beside the
password, and I might start to get interested.

            regards, tom lane

pgsql-general by date:

Previous
From: David Garamond
Date:
Subject: Re: Salt in encrypted password in pg_shadow
Next
From: Tom Lane
Date:
Subject: Re: Salt in encrypted password in pg_shadow