Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date
Msg-id 15611.1114096507@sss.pgh.pa.us
Whole thread Raw
In response to Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords  ("Jim C. Nasby" <decibel@decibel.org>)
List pgsql-hackers
"Jim C. Nasby" <decibel@decibel.org> writes:
> Something that just occured to me... if you're using a random salt, you
> can change it periodically without any disruption. So in the case of a
> site that's worried about brute-forcing a password or hash you can
> periodically update all the salts with new random values.

Not unless you force the users to change passwords.  How are you going
to use MD5(passwd,oldsalt) to derive MD5(passwd,newsalt) when you don't
know passwd?
        regards, tom lane


pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Next
From: Bruce Momjian
Date:
Subject: Re: [COMMITTERS] pgsql: Install some slightly realistic cost