Home > mailing lists

Re: Authenticate with hash instead of plaintext password? - Mailing list pgsql-general

From	Tom Lane
Subject	Re: Authenticate with hash instead of plaintext password?
Date	December 16, 2012 21:30:32
Msg-id	17605.1355682629@sss.pgh.pa.us Whole thread Raw
In response to	Re: Authenticate with hash instead of plaintext password? (Peter Bex <Peter.Bex@xs4all.nl>)
Responses	Re: Authenticate with hash instead of plaintext password? (Peter Bex <Peter.Bex@xs4all.nl>)
List	pgsql-general

Tree view

Peter Bex <Peter.Bex@xs4all.nl> writes:
> On Sun, Dec 16, 2012 at 12:51:08PM -0500, Tom Lane wrote:
>> Right, they can break into *this account*.

> Not *just* this one, but any account on any service that uses this
> same algorithm.

That's easily fixed.  I'd be inclined to make the "password" hash be a
hash of the actual password plus the user's name plus some
web-site-specific random salt string.  All of these should be readily
available anytime you need to compute the hash, and the inclusion of the
latter two components will make it difficult to use precomputed rainbow
tables to extract the actual password.  With a little more work, he
could also have a per-user random salt added to the hash input --- but
that would require an additional lookup step during login.

            regards, tom lane

pgsql-general by date:

From: Tom Lane
Date: 16 December 2012, 21:17:01
Subject: Re: Default timezone changes in 9.1

From: Murray Cumming
Date: 16 December 2012, 21:42:46
Subject: Re: Authenticate with hash instead of plaintext password?

Re: Authenticate with hash instead of plaintext password? - Mailing list pgsql-general

Previous

Next