Home > mailing lists

Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords - Mailing list pgsql-hackers

From	Joshua D. Drake
Subject	Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date	April 21, 2005 16:50:40
Msg-id	4267D9D7.1010500@commandprompt.com Whole thread Raw
In response to	Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords ("Jim C. Nasby" <decibel@decibel.org>)
Responses	Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
List	pgsql-hackers

Tree view

> Simply put, MD5 is no longer strong enough for protecting secrets. It's
> just too easy to brute-force. SHA1 is ok for now, but it's days are
> numbered as well. I think it would be good to alter SHA1 (or something
> stronger) as an alternative to MD5, and I see no reason not to use a
> random salt instead of username.

If you aren't paying close enough attention to your database server to
see that someone is trying to brute force your MD5 password you have 
bigger problems.

Sincerely,

Joshua D. Drake





-- 
Your PostgreSQL solutions company - Command Prompt, Inc. 1.800.492.2240
PostgreSQL Replication, Consulting, Custom Programming, 24x7 support
Managed Services, Shared and Dedication Hosting
Co-Authors: plPHP, plPerlNG - http://www.commandprompt.com/

pgsql-hackers by date:

From: Tom Lane
Date: 21 April 2005, 16:13:56
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: "David F. Skoll"
Date: 21 April 2005, 17:06:35
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords - Mailing list pgsql-hackers

Previous

Next