Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

From Richard Huxton
Subject Re: Salt in encrypted password in pg_shadow
Date
Msg-id 413DEE4A.6030608@archonet.com
Whole thread Raw
In response to Re: Salt in encrypted password in pg_shadow  (David Garamond <lists@zara.6.isreserved.com>)
Responses Re: Salt in encrypted password in pg_shadow
List pgsql-general
David Garamond wrote:
> Consider someone who creates a long list of:
>
>  MD5( "postgres" + "aaaaaaaa" )
>  MD5( "postgres" + "aaaaaaab" )
>  MD5( "postgres" + "aaaaaaac" )
>  ...
>
> Now if he has access to other people's pg_shadow, he can compare the
> hashes with his dictionary. Replacing "postgres" with a random salt
> defeats this dictionary attack (and thus he will have to resort to brute
> force).

But surely you have to store the random salt in pg_shadow too? Or am I
missing something?

--
   Richard Huxton
   Archonet Ltd

pgsql-general by date:

Previous
From: "Andrew Janian"
Date:
Subject: Re: ERROR: canceling query due to user request
Next
From: Alex Soto
Date:
Subject: Re: supressing NOTICE messages on Windows/cygwin only not working?