lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4266F348.9050208@roaringpenguin.com>
Date: Wed, 20 Apr 2005 20:26:48 -0400
From: "David F. Skoll" <dfs@...ringpenguin.com>
To: Tom Lane <tgl@....pgh.pa.us>
Cc: Bruce Momjian <pgman@...dle.pha.pa.us>,
	"Jim C. Nasby" <decibel@...ibel.org>,
	Stephen Frost <sfrost@...wman.net>, pgsql-hackers@...tgresql.org,
	bugtraq@...urityfocus.com
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords


Tom Lane wrote:

> Lessee ... we'll include a complete password hash table in a root kit,
> which will be used at a point where we've already managed to read
> pg_shadow but are somehow still lacking the ability to do anything else
> we could want to the database ... nope, not very compelling.

You are correct that the threat against the PostgreSQL installation itself
is not very compelling.  However, take a look at the bigger picture:
People crack into systems and then try to use those systems to crack
into other systems.  If you can make it harder to recover passwords
in the PostgreSQL system, then you've made it harder for attackers
to use those recovered passwords to attack other systems.

Think of the complete security environment, not just the security
of a particular PostgreSQL installation.  Having random salts makes
it much harder for attackers to answer questions like "Does user X
have the same password in PostgreSQL installation 1 as he does in PostgreSQL
installation 2".

Regards,

David.

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ