Re: Rejecting weak passwords
| От | Tom Lane |
|---|---|
| Тема | Re: Rejecting weak passwords |
| Дата | |
| Msg-id | 16091.1254180412@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Rejecting weak passwords (marcin mank <marcin.mank@gmail.com>) |
| Список | pgsql-hackers |
marcin mank <marcin.mank@gmail.com> writes: >> The case that ENCRYPTED >> protects against is database superusers finding out other users' >> original passwords, which is a security issue to the extent that those >> users have used the same/similar passwords for other systems. > I just want to note that md5 is not much of a protection against this > case these days. Take a look at this: > http://www.golubev.com/hashgpu.htm > It takes about 32 hours to brute force all passwords from [a-zA-Z0-9] > of up to 8 chars in length. Yeah, but that will find you a password that hashes to the same thing. Not necessarily the same password. It'll get you into the Postgres DB just fine, which you don't care about because you're already a superuser there. It won't necessarily get you into the assumed third-party systems. regards, tom lane
В списке pgsql-hackers по дате отправления: