Re: Rejecting weak passwords

Поиск
Список
Период
Сортировка
От marcin mank
Тема Re: Rejecting weak passwords
Дата
Msg-id b1b9fac60909281449l2d0cb757y5f097010bb1dba54@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Rejecting weak passwords  (Tom Lane <tgl@sss.pgh.pa.us>)
Ответы Re: Rejecting weak passwords  (Josh Berkus <josh@agliodbs.com>)
Re: Rejecting weak passwords  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-hackers
Дерево обсуждения 
> The case that ENCRYPTED
> protects against is database superusers finding out other users'
> original passwords, which is a security issue to the extent that those
> users have used the same/similar passwords for other systems.

I just want to note that md5 is not much of a protection against this
case these days. Take a look at this:
http://www.golubev.com/hashgpu.htm

It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
of up to 8 chars in length.

Maybe it is time to look at something like bcrypt.
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

Greetings
Marcin

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Euler Taveira de Oliveira
Дата:
Сообщение: Buffer usage in EXPLAIN and pg_stat_statements (review)
Следующее
От: Bernd Helmle
Дата:
Сообщение: Re: TODO item: Allow more complex user/database default GUC settings