Home > mailing lists

Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

From	David Garamond
Subject	Re: Salt in encrypted password in pg_shadow
Date	September 8, 2004 06:11:53
Msg-id	413E6A55.7060704@zara.6.isreserved.com Whole thread Raw
In response to	Salt in encrypted password in pg_shadow (David Garamond <lists@zara.6.isreserved.com>)
Responses	Re: Salt in encrypted password in pg_shadow (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-general

Tree view

Tom Lane wrote:
>>Many people use short and easy-to-guess passwords (remember we're not
>>talking about the superuser only here), so the dictionary attack can be
>>more effective than people think.
>
> And that responds to the speed argument how?  I quite agree that a
> guessable password is risky, but putting in a random salt offers no
> real advantage if the salt has to be stored in the same place as the
> encrypted password.

Hm, I thought the purpose of salt is generally well understood? A
well-known string such as "postgres" is *not* a good salt at all.

Here's a couple of pages that hopefully can explain better:

http://en.wikipedia.org/wiki/Dictionary_attack
http://en.wikipedia.org/wiki/Salt_(cryptography)

--
dave

pgsql-general by date:

From: Alvaro Herrera
Date: 08 September 2004, 06:09:04
Subject: Re: Postgresql and scripting

From: Tom Lane
Date: 08 September 2004, 06:28:14
Subject: Re: Salt in encrypted password in pg_shadow

Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

Previous

Next