lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 21 Apr 2005 17:57:21 -0400
From: "Mike Fratto" <mfratto@....com>
To: "'Stephen Frost'" <sfrost@...wman.net>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords



> That's the whole point of the discussion- the way Postgres's 
> pg_shadow stuff works the salt is known and *because* of that 
> it might as well not exist since it means that you can 
> pre-compute the keyspace.  

I see your point. I don't know anything about postgres. I don't use it. But
if someone can get to the pg_hba.conf file (I assume (hope) it is read/write
by the process owner or root only?) then your screwed anyway. So while there
may be better ways to store and use passwords, perhaps in light of the root
of the problem (getting to the file) the fore-knowledge of a salt isn't that
important. If an admin created a "strong" password (whatever that means),
then pre-computation won't help an attacker get it. At worst for the admon,
pre-computation will shorten the attackers time to know if the password can
be broken or not. At best it might slow them down a bit (but not really). 

I dunno.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ