<<< Date Index >>>     <<< Thread Index >>>

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords



Joshua D. Drake wrote:
Simply put, MD5 is no longer strong enough for protecting secrets. It's
just too easy to brute-force. SHA1 is ok for now, but it's days are
numbered as well. I think it would be good to alter SHA1 (or something
stronger) as an alternative to MD5, and I see no reason not to use a
random salt instead of username.


If you aren't paying close enough attention to your database server to
see that someone is trying to brute force your MD5 password you have bigger problems.

The comments on md5 and sha1 are both inaccurate if you're comparing them. Encrypted passwords are as strong as the design of the password. In some cases, SHA-1 is a faster brute force because SHA-1 is a faster hash. There are two issues here. Using SHA-1 to hash a password, and the strength of a password. If the implementation of SHA-1 is not effective, there could be weaknesses that enable reducing the time required to perform exhaustive/dictionary attacks against sha-1 protected password.

I'm out of context, but I had to make some corrections.


--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.com
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Have Phishers stolen your customers' logins? Find out with DIA
https://slam.securescience.com/signup.cgi - it's free!