Re: Salt in encrypted password in pg_shadow

Tom Lane wrote:
>>Many people use short and easy-to-guess passwords (remember we're not
>>talking about the superuser only here), so the dictionary attack can be
>>more effective than people think.
>
> And that responds to the speed argument how?  I quite agree that a
> guessable password is risky, but putting in a random salt offers no
> real advantage if the salt has to be stored in the same place as the
> encrypted password.

Hm, I thought the purpose of salt is generally well understood? A
well-known string such as "postgres" is *not* a good salt at all.

Here's a couple of pages that hopefully can explain better:

http://en.wikipedia.org/wiki/Dictionary_attack
http://en.wikipedia.org/wiki/Salt_(cryptography)

--
dave