Re: Salt in encrypted password in pg_shadow
| От | Greg Stark |
|---|---|
| Тема | Re: Salt in encrypted password in pg_shadow |
| Дата | |
| Msg-id | 87isamuajh.fsf@stark.xeocode.com обсуждение исходный текст |
| Ответ на | Salt in encrypted password in pg_shadow (David Garamond <lists@zara.6.isreserved.com>) |
| Список | pgsql-general |
Chris Travers <chris@metatrontech.com> writes: > This only works because you have a theoretical delay between incorrect > password attempts, so dictionary attacks directly are supposed to be > difficult to impliment. I say theoretically because a smart attacker will > use a program to open multiple telnet connections simultaneously to try a > large number of passwords at once. No, this is irrelevant to salts. People actually trying to log in is not the threat model that salts are there to protect. This is not what is meant by "dictionary attack". What is meant by dictionary attack in the context of hashed passwords is someone generating a "dictionary" of hashes for every guessable password. Then they can take any hash they find in a password database and look up in their "dictionary" a valid password it. Salts prevent this by forcing someone to generate 2^16 possible hashes for every possible guessable password. Essentially making them hash every guessable password again anew for each user attacked. They're only relevant for attackers who have access to the password database. Not for attackers who are just knocking on the door over and over. The weakness described would apply to someone who had access to many pg_shadows from many installations. They could check every "postgres" user against their dictionary quickly. Or an unscrupulous dba could assign usernames starting with the same two letters for everyone and then guess people's passwords by looking up the hashes in a dictionary. -- greg
В списке pgsql-general по дате отправления: