lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 21 Apr 2005 09:50:31 -0700
From: "Joshua D. Drake" <jd@...mandprompt.com>
To: "Jim C. Nasby" <decibel@...ibel.org>
Cc: Tom Lane <tgl@....pgh.pa.us>, Stephen Frost <sfrost@...wman.net>,
	pgsql-hackers@...tgresql.org, bugtraq@...urityfocus.com
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords


> Simply put, MD5 is no longer strong enough for protecting secrets. It's
> just too easy to brute-force. SHA1 is ok for now, but it's days are
> numbered as well. I think it would be good to alter SHA1 (or something
> stronger) as an alternative to MD5, and I see no reason not to use a
> random salt instead of username.

If you aren't paying close enough attention to your database server to
see that someone is trying to brute force your MD5 password you have 
bigger problems.

Sincerely,

Joshua D. Drake





-- 
Your PostgreSQL solutions company - Command Prompt, Inc. 1.800.492.2240
PostgreSQL Replication, Consulting, Custom Programming, 24x7 support
Managed Services, Shared and Dedication Hosting
Co-Authors: plPHP, plPerlNG - http://www.commandprompt.com/

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

               http://www.postgresql.org/docs/faq

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ