<<< Date Index >>>     <<< Thread Index >>>

RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords



> That's the whole point of the discussion- the way Postgres's 
> pg_shadow stuff works the salt is known and *because* of that 
> it might as well not exist since it means that you can 
> pre-compute the keyspace.  

I see your point. I don't know anything about postgres. I don't use it. But
if someone can get to the pg_hba.conf file (I assume (hope) it is read/write
by the process owner or root only?) then your screwed anyway. So while there
may be better ways to store and use passwords, perhaps in light of the root
of the problem (getting to the file) the fore-knowledge of a salt isn't that
important. If an admin created a "strong" password (whatever that means),
then pre-computation won't help an attacker get it. At worst for the admon,
pre-computation will shorten the attackers time to know if the password can
be broken or not. At best it might slow them down a bit (but not really). 

I dunno.