Re: So we're in agreement.... - Mailing list pgsql-hackers

From Vince Vielhaber
Subject Re: So we're in agreement....
Date
Msg-id Pine.BSF.4.21.0005071214030.13987-100000@paprika.michvhf.com
Whole thread Raw
In response to Re: So we're in agreement....  (Bruce Momjian <pgman@candle.pha.pa.us>)
Responses Re: So we're in agreement....
List pgsql-hackers
On Sun, 7 May 2000, Bruce Momjian wrote:

> > > Yes, MD5, double-crypt with pg_shadow salt and random salt.  Sounds like
> > > a winner all around.
> > 
> > why pg_shadow salt ? for md5 we will need to store it separately anyway.
> > why not MD5(<server-supplied-random-salt> || MD5(<username> ||
> > <password>))
> > that way we would overcome the original need for salt (accidental
> > discovery 
> > of similar passwords) and would have no need for storing the salt.
> > 
> > actually we would probably need some kind of separator as well to avoid
> > the scenario of <user>+<password> and <userpa>+<ssword> being the same 
> > and thus having the same md5 hash. so the escheme could be
> > 
> > MD5(<server-supplied-random-salt> || '\n' || MD5(<username> || '\n' ||
> > <password>))
> > 
> > AFAIK there is no easy way to have a newline inside password. 
> 
> Well, unix passwords don't use the username as salt, so why should we?

It could add a level of security.  The client knows the username.  If
the client were to only send LOGIN or something like that to the server
without sending the username and the server only replied with the random
salt, the client would know that the username was the fixed salt and could
use that with random salt received from the server.  So it's really a
hidden salt.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from
$16.00/moat Pop4 Networking       Online Campground Directory    http://www.camping-usa.com      Online Giftshop
Superstore   http://www.cloudninegifts.com
 
==========================================================================





pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: You're on SecurityFocus.com for the cleartext passwords.
Next
From: Tom Lane
Date:
Subject: Re: So we're in agreement....