lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Apr 2005 16:23:23 -0500
From: "Jim C. Nasby" <decibel@...ibel.org>
To: Tom Lane <tgl@....pgh.pa.us>
Cc: Stephen Frost <sfrost@...wman.net>, pgsql-hackers@...tgresql.org,
	bugtraq@...urityfocus.com
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords


On Wed, Apr 20, 2005 at 05:03:18PM -0400, Tom Lane wrote:
> >   This would allow for the pregeneration of the entire md5
> >   keyspace using that 'salt' and then quick breakage of the hash once
> >   it's retrieved by the attacker.
> 
> Considering the size of the possible keyspace, this is pretty silly.

Actually, it's not as silly as you think. You can download rainbow
tables for Windows/LanMan passwords up to 14 or 15 characters in length.
Given the password hash and some code, you can determine the user's
password in a matter of minutes.

Simply put, MD5 is no longer strong enough for protecting secrets. It's
just too easy to brute-force. SHA1 is ok for now, but it's days are
numbered as well. I think it would be good to alter SHA1 (or something
stronger) as an alternative to MD5, and I see no reason not to use a
random salt instead of username.
-- 
Jim C. Nasby, Database Consultant               decibel@...ibel.org 
Give your computer some brain candy! www.distributed.net Team #1828

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster


Powered by blists - more mailing lists