Quick Links

Re: A stab at implementing better password hashing, with mixed results

From:	Claudio Freire <klaussfreire(at)gmail(dot)com>
To:	PostgreSQL hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: A stab at implementing better password hashing, with mixed results
Date:	2012-12-27 15:31:08
Message-ID:	CAGTBQpbRgrRctMD7Q-UeTcchGp7JeL10r8hT8rErj3EYnrXvng@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Thu, Dec 27, 2012 at 11:46 AM, Peter Bex <Peter(dot)Bex(at)xs4all(dot)nl> wrote:
>
> Implementing a more secure challenge-response based algorithm means
> a change in the client-server protocol. Perhaps something like SCRAM
> (maybe through SASL) really is the way forward for this, but that
> seems like quite a project and it seems to dictate how the passwords are
> stored; it requires a hash of the PBKDF2 algorithm to be stored.

It would be nonsense to do it in any other way... protecting the
password store and not the exchange would just shift the weak spot.

In response to

A stab at implementing better password hashing, with mixed results at 2012-12-27 14:46:38 from Peter Bex

Responses

Re: A stab at implementing better password hashing, with mixed results at 2012-12-27 15:39:13 from Peter Bex

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Peter Bex	2012-12-27 15:39:13	Re: A stab at implementing better password hashing, with mixed results
Previous Message	Marko Kreen	2012-12-27 15:21:22	Re: pgcrypto seeding problem when ssl=on