MD5 salt in pg_authid password hashes - Mailing list pgsql-general

From Stefan Weiss
Subject MD5 salt in pg_authid password hashes
Date
Msg-id 4F3C6B2D.8080207@foo.at
Whole thread Raw
Responses Re: MD5 salt in pg_authid password hashes
List pgsql-general
From the manual:

| Because MD5-encrypted passwords use the role name as cryptographic
| salt, renaming a role clears its password if the password is
| MD5-encrypted.

In backend/commands/user.c

    if (!pg_md5_encrypt(password, stmt->role, strlen(stmt->role),
                        encrypted_password))
        elog(ERROR, "password encryption failed");
    new_record[Anum_pg_authid_rolpassword - 1] =
        CStringGetTextDatum(encrypted_password);

I don't understand this. Why was the role name chosen as a salt? Apart
from the problem that the hash becomes unusable when a role is renamed,
roles names are very poor salts. Given how relatively predictable they
are, the hash could just as well be left unsalted.

There is a comment in libpq/md5.c which more or less acknowleges this:
"Place salt at the end because it may be known by users trying to crack
the MD5 output." Ignoring for the moment that cracking PG passwords is
probably not very common, the position of the salt does little to
prevent attacks.

A random salt would eliminate both weaknesses. The only explanation I
can come up with is that the current method of hashing has been kept for
historic reasons, as changing to a random salt would break existing hashes.

Or is there something else I've overlooked?


regards,
stefan


PS: Strictly speaking, the expression "MD5-encrypted" in the manual is
incorrect - MD5 is a hashing algorithm, not an encryption algorithm.
</nitpick>


--
LOAD"Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!",8,1
RUN!

pgsql-general by date:

Previous
From: John R Pierce
Date:
Subject: Re: postgresql90-server package for RHEL5
Next
From: Devrim GÜNDÜZ
Date:
Subject: Re: postgresql90-server package for RHEL5