At 07:15 PM 9/27/01 -0400, Bruce Momjian wrote:
>>
>> I guess the issue is that if you can get the salt part found out, you
>> can use that to attack the password part. Also, consider that we use
>> the username as the salt as stored in pg_shadow. We can easily put the
>> salt in the back, but then there is the risk that a long password would
>> not take into account the salt. My feeling that this is more a
>> theoretical concern and we may be opening ourselves up to more problems
>> if we make the change.
>
>OK, I have applied the following patch to the MD5 code that puts the
>salt at the end. We can't change the crypt() stuff because that is
>being used in older releases.
I think it needs further confirmation, because what I said was from memory
- I still can't find the source- so take what I said with a pinch of erm
MSG. I'd personally go with the XOR rather than concat. And I'd use a
random salt rather than a predictable salt.
But I emphasize again that I believe this is actually a small issue, and
that leaving the salt in front won't really weaken things much looking at
the big picture. Because nowadays computers are so fast and cheap, cracking
the passwords usually boils down to whether the password is weak or not,
and usually the passwords picked are weak, a week at most to crack :). You
use salts just to _discourage_ attackers from precomputing. A skilled and
determined attacker who knows how to exploit any hash-salt weakness will
find it easier to crack the whole blooming computer open and get root.
Cheerio,
Link.