Re: Re: Proposal for encrypting pg_shadow passwords - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: Re: Proposal for encrypting pg_shadow passwords
Date
Msg-id 200108161356.f7GDuOs16714@candle.pha.pa.us
Whole thread Raw
Responses Re: Re: Proposal for encrypting pg_shadow passwords  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-patches
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > OK, patch attached.  Pretty nifty. Try MD5 first, and if it fails, try
> > crypt.
>
> What???
>
> Where did *that* idea come from?  If I'm using the new auth method
> because I don't think the old one is secure, I sure as heck don't want
> an old (or deliberately-broken) client to cause a fallback to a less
> secure method.

Just a reminder.  What I think it insecure is the size of our salt.
With only 3300 possible salts, it doesn't take long to playback a
duplicate.  That is true of MD5 and crypt.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Patch for JDBC to update some comments
Next
From: Bruce Momjian
Date:
Subject: Re: Re: Proposal for encrypting pg_shadow passwords