Re: Salt in encrypted password in pg_shadow

Поиск
Список
Период
Сортировка
От Richard Huxton
Тема Re: Salt in encrypted password in pg_shadow
Дата
Msg-id 413DEE4A.6030608@archonet.com
обсуждение исходный текст
Ответ на Re: Salt in encrypted password in pg_shadow  (David Garamond <lists@zara.6.isreserved.com>)
Ответы Re: Salt in encrypted password in pg_shadow  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-general
Дерево обсуждения 
David Garamond wrote:
> Consider someone who creates a long list of:
>
>  MD5( "postgres" + "aaaaaaaa" )
>  MD5( "postgres" + "aaaaaaab" )
>  MD5( "postgres" + "aaaaaaac" )
>  ...
>
> Now if he has access to other people's pg_shadow, he can compare the
> hashes with his dictionary. Replacing "postgres" with a random salt
> defeats this dictionary attack (and thus he will have to resort to brute
> force).

But surely you have to store the random salt in pg_shadow too? Or am I
missing something?

--
   Richard Huxton
   Archonet Ltd

В списке pgsql-general по дате отправления:

Предыдущее
От: "Andrew Janian"
Дата:
Сообщение: Re: ERROR: canceling query due to user request
Следующее
От: Alex Soto
Дата:
Сообщение: Re: supressing NOTICE messages on Windows/cygwin only not working?