Postgres Pro
Downloads
Home   >   mailing lists

Re: Authenticate with hash instead of plaintext password? - Mailing list pgsql-general

From Peter Bex
Subject Re: Authenticate with hash instead of plaintext password?
Date
Msg-id 20121216180342.GT4254@frohike.homeunix.org
Whole thread Raw
In response to Re: Authenticate with hash instead of plaintext password?  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Authenticate with hash instead of plaintext password?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-general
Tree view 
On Sun, Dec 16, 2012 at 12:51:08PM -0500, Tom Lane wrote:
> Peter Bex <Peter.Bex@xs4all.nl> writes:
> > If they do break in and are able to retrieve the password hash, they
> > can still break in with that hash.
>
> Right, they can break into *this account*.

Not *just* this one, but any account on any service that uses this
same algorithm.  Even if this is a completely custom algorithm
that no other service is going to use, there's still the risk that
when one of his servers is cracked, if a customer has multiple
accounts they are all compromised even if they are on servers that
weren't compromised. (of course, assuming they use the same password
- but that's a reality we'll have to face, hence his original
request)

Finally, if it's a naive implementation of calculating a single hash
run, the password can be easily retrieved.  Either by brute-force
(with eg Hashcat or John the Ripper), or even common search engines.
See for example http://tools.benramsey.com/md5/

> But Murray is worrying about the all-too-common case where a user
> has used the same or similar password for multiple sites.  I think
> his goal of not having the original password stored anywhere is laudable.

Absolutely, I completely agree.  I wasn't trying to put down this
important goal.  There have been too many incidents of hacked password
databases.  This has to end.  That's why I'm so keen on trying to warn
against doing it in the way he originally proposed.

> Perhaps I'm missing the context here, but it seems unlikely that the
> users have any direct access to the database.  If they can only get to
> it through the website, then what about the idea of hashing the original
> text, and then using that hashed string as the database password?

See above; the password can be easily retrieved.

> IOW I don't see why this must be implemented inside libpq rather than
> in the website logic.

I'm not sure this is necessary either.

Cheers,
Peter
--
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
                            -- Donald Knuth

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: Authenticate with hash instead of plaintext password?
Next
From: Peter Bex
Date:
Subject: Re: Need help for import of text file