Home > mailing lists

Re: [HACKERS] Enhancements to passwordcheck - Mailing list pgsql-hackers

From	Michael Paquier
Subject	Re: [HACKERS] Enhancements to passwordcheck
Date	September 27, 2017 16:48:14
Msg-id	CAB7nPqRY8R=aJVtGYsw1mtKByiFko7qr0DtPDwyodCq1X4LmSQ@mail.gmail.com Whole thread Raw
In response to	Re: [HACKERS] Enhancements to passwordcheck (Albe Laurenz <laurenz.albe@wien.gv.at>)
List	pgsql-hackers

Tree view

On Wed, Sep 27, 2017 at 6:05 PM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
> I had the impression that the reasons why database passwords are
> not the best option for high security were:
> 1) The password hash is stored in the database and can be stolen and
>    cracked (don't know if dictionary attacks are harder with SCRAM).
> 2) The password or the password hash are transmitted to the server
>    when you change the password and may be captured.

Having a MD5 hash is enough to connect to the database. No need to crack it.
-- 
Michael


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

pgsql-hackers by date:

From: Taiki Kondo
Date: 27 September 2017, 16:41:26
Subject: [HACKERS] Float value 'Infinity' is cast to numeric 1 on Windows

From: Marko Tiikkaja
Date: 27 September 2017, 16:52:33
Subject: [HACKERS] 200 = 199 + 1?

Re: [HACKERS] Enhancements to passwordcheck - Mailing list pgsql-hackers

Previous

Next