Home > mailing lists

Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

From	Richard Huxton
Subject	Re: Salt in encrypted password in pg_shadow
Date	September 7, 2004 21:22:35
Msg-id	413DEE4A.6030608@archonet.com Whole thread Raw
In response to	Re: Salt in encrypted password in pg_shadow (David Garamond <lists@zara.6.isreserved.com>)
Responses	Re: Salt in encrypted password in pg_shadow (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-general

Tree view

David Garamond wrote:
> Consider someone who creates a long list of:
>
>  MD5( "postgres" + "aaaaaaaa" )
>  MD5( "postgres" + "aaaaaaab" )
>  MD5( "postgres" + "aaaaaaac" )
>  ...
>
> Now if he has access to other people's pg_shadow, he can compare the
> hashes with his dictionary. Replacing "postgres" with a random salt
> defeats this dictionary attack (and thus he will have to resort to brute
> force).

But surely you have to store the random salt in pg_shadow too? Or am I
missing something?

--
   Richard Huxton
   Archonet Ltd

pgsql-general by date:

From: "Andrew Janian"
Date: 07 September 2004, 20:27:41
Subject: Re: ERROR: canceling query due to user request

From: Alex Soto
Date: 07 September 2004, 21:28:11
Subject: Re: supressing NOTICE messages on Windows/cygwin only not working?

Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

Previous

Next