Re: Is md5 really more secure than crypt?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "murphy pope" <pope_murphy(at)hotmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Is md5 really more secure than crypt?
Date: 2002-06-14 17:14:39
Message-ID: 7407.1024074879@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

"murphy pope" <pope_murphy(at)hotmail(dot)com> writes:
> But, if can peek at the server's user/password checksum (in the pg_pwd
> file), I can connect to a server, get the server's salt, and combine it with
> the stolen checksum, arriving at the checksum expected by the server.

Hmm. The double hashing scheme was supposed to prevent that attack,
but looking at the code I think maybe it got implemented incorrectly.
We should go back and look at the design discussions to see if this
wasn't foreseen.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Nigel J. Andrews 2002-06-14 17:23:23 Re: I must be blind...
Previous Message Darren Ferguson 2002-06-14 17:09:23 Re: jobs.postgresql.org - Who's interested?