Re: Encoding passwords
| От | Tom Lane |
|---|---|
| Тема | Re: Encoding passwords |
| Дата | |
| Msg-id | 23194.1001774910@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Encoding passwords (Lincoln Yeoh <lyeoh@pop.jaring.my>) |
| Список | pgsql-general |
Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> I think it needs further confirmation, because what I said was from memory
> - I still can't find the source- so take what I said with a pinch of erm
> MSG. I'd personally go with the XOR rather than concat.
Why? AFAIK, appending a salt is a well-understood process with MD5.
I see no reason to think that XORing would be better, and it might be
worse.
> And I'd use a random salt rather than a predictable salt.
We do, at least for passwords flowing across the net. There's no
randomness in the salt for a password stored in pg_shadow, but the only
way to have randomness there would be to add a separate column showing
what the random salt was --- so an attacker with access to pg_shadow
would know what the salt was, anyway.
> But I emphasize again that I believe this is actually a small issue,
Indeed, but I'd rather get it right now than realize we made a small
error after it's too late to change.
regards, tom lane
В списке pgsql-general по дате отправления: