Home > mailing lists

Re: You're on SecurityFocus.com for the cleartext passwords. - Mailing list pgsql-hackers

From	Sverre H. Huseby
Subject	Re: You're on SecurityFocus.com for the cleartext passwords.
Date	May 6, 2000 15:50:06
Msg-id	20000506184526.B22812@online.no Whole thread Raw
In response to	Re: You're on SecurityFocus.com for the cleartext passwords. (Bruce Momjian <pgman@candle.pha.pa.us>)
Responses	Re: You're on SecurityFocus.com for the cleartext passwords.
List	pgsql-hackers

Tree view

[Bruce Momjian]

|       store the password in pg_shadow like a unix-style password with salt
|       pass the random salt and the salt from pg_shadow to the client
|       client crypts the password twice through the routine:
|           once using the pg_shadow salt
|           another time using the random salt

That's close to what I thought of a couple of days ago too, except I
would have used MD5, since I already have that implemented. :) (It
seems you already have crypt, so you wouldn't need MD5.)

Does anyone here really _know_ (and I mean KNOW)
security/cryptography?  If so, could you please comment on this
scheme?  And while you're at it, whats better of MD5 and Unix crypt
(triple DES ++, isn't it?) from a security perspective?


Sverre.

-- 
<URL:mailto:sverrehu@online.no>
<URL:http://home.sol.no/~sverrehu/>          Echelon bait: semtex, bin Laden,
plutonium,North Korea, nuclear bomb

pgsql-hackers by date:

From: Bruce Momjian
Date: 06 May 2000, 15:31:05
Subject: Re: You're on SecurityFocus.com for the cleartext passwords.

From: Vince Vielhaber
Date: 06 May 2000, 15:57:05
Subject: Re: You're on SecurityFocus.com for the cleartext passwords.

Re: You're on SecurityFocus.com for the cleartext passwords. - Mailing list pgsql-hackers

Previous

Next