Stephen Frost <sfrost@snowman.net> writes:
> I have some hopes that pointing out the rather large problem with the
> md5 authentication mechanism in pg_hba.conf will lead them to discourage
> it's use and thus reduce the occourances of the salt being made
> available to the user giving more weight to the usefullness of having it
> be a random salt. Additionally, it's been a few years, perhaps
> viewpoints have changed.
Salts are always given to the user, that's how they work. They're not secret.
The issue pointed out back then was that lots of hosts would have usernames
with the same name, namely "postgres". So a distributed attack would be able
to use a dictionary attack if it were targeting just the "postgres" user on
many hosts.
That was deemed not a threat model worth worrying about. It's pretty unlikely
someone would have access to the md5sums for many different hosts.
--
greg