| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | murphy pope <pope_murphy(at)hotmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Is md5 really more secure than crypt? |
| Date: | 2002-06-14 16:09:06 |
| Message-ID: | 20020614160906.GA21317@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Jun 14, 2002 at 10:54:35 -0400,
murphy pope <pope_murphy(at)hotmail(dot)com> wrote:
>
> But, if can peek at the server's user/password checksum (in the pg_pwd
> file), I can connect to a server, get the server's salt, and combine it
> with the stolen checksum, arriving at the checksum expected by the server.
>
> This is exactly how I would impersonate a user authenticated by 'crypt'.
>
> So, to me, it doesn't seem that 'md5' is much more secure than 'crypt'.
> The user/password hash stored in pg_pwd is essentially a plaintext
> password. What am I missing here?
I think MD5 is preferred because it provides better protection against
reversing a hash and you can use longer passwords. This helps against
some kinds of attacks.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | chris.gamble | 2002-06-14 16:19:03 | Store / Retrieve image files |
| Previous Message | Scott Marlowe | 2002-06-14 16:05:31 | Re: jobs.postgresql.org - Who's interested? |