[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

To: "Jim C. Nasby" <decibel@xxxxxxxxxxx>
Subject: Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
From: "Joshua D. Drake" <jd@xxxxxxxxxxxxxxxxx>
Date: Thu, 21 Apr 2005 09:50:31 -0700

Simply put, MD5 is no longer strong enough for protecting secrets. It's
just too easy to brute-force. SHA1 is ok for now, but it's days are
numbered as well. I think it would be good to alter SHA1 (or something
stronger) as an alternative to MD5, and I see no reason not to use a
random salt instead of username.

If you aren't paying close enough attention to your database server to see that someone is trying to brute force your MD5 password you have bigger problems.

Sincerely,

Joshua D. Drake

--
Your PostgreSQL solutions company - Command Prompt, Inc. 1.800.492.2240
PostgreSQL Replication, Consulting, Custom Programming, 24x7 support
Managed Services, Shared and Dedication Hosting
Co-Authors: plPHP, plPerlNG - http://www.commandprompt.com/

Follow-Ups:
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Stephen Frost
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Lance James

References:
- Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Stephen Frost
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Tom Lane
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Jim C. Nasby

Prev by Date: directory traversal in Yawcam 0.2.5
Next by Date: Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Previous by thread: Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted
Next by thread: Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Index(es):
- Date
- Thread