Home > mailing lists

Re: Is md5 really more secure than crypt? - Mailing list pgsql-general

From	Bruno Wolff III
Subject	Re: Is md5 really more secure than crypt?
Date	June 14, 2002 15:05:05
Msg-id	20020614160906.GA21317@wolff.to Whole thread Raw
In response to	Is md5 really more secure than crypt? ("murphy pope" <pope_murphy@hotmail.com>)
List	pgsql-general

Tree view

On Fri, Jun 14, 2002 at 10:54:35 -0400,
  murphy pope <pope_murphy@hotmail.com> wrote:
>
> But, if can peek at the server's user/password checksum (in the pg_pwd
> file), I can connect to a server, get the server's salt, and combine it
> with the stolen checksum, arriving at the checksum expected by the server.
>
> This is exactly how I would impersonate a user authenticated by 'crypt'.
>
> So, to me, it doesn't seem that 'md5' is much more secure than 'crypt'.
> The user/password hash stored in pg_pwd is essentially a plaintext
> password.  What am I missing here?

I think MD5 is preferred because it provides better protection against
reversing a hash and you can use longer passwords. This helps against
some kinds of attacks.

pgsql-general by date:

From: tony
Date: 14 June 2002, 14:14:22
Subject: Re: read this and puke

From: Scott Marlowe
Date: 14 June 2002, 15:18:06
Subject: Re: jobs.postgresql.org - Who's interested?

Re: Is md5 really more secure than crypt? - Mailing list pgsql-general

Previous

Next