Home > mailing lists

Re: MD5 authentication needs help - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: MD5 authentication needs help
Date	March 4, 2015 20:54:21
Msg-id	24254.1425502449@sss.pgh.pa.us Whole thread Raw
In response to	Re: MD5 authentication needs help (Bruce Momjian <bruce@momjian.us>)
Responses	Re: MD5 authentication needs help Re: MD5 authentication needs help
List	pgsql-hackers

Tree view

Bruce Momjian <bruce@momjian.us> writes:
> Let me update my list of possible improvements:

> 1)  MD5 makes users feel uneasy (though our usage is mostly safe)

> 2)  The per-session salt sent to the client is only 32-bits, meaning
> that it is possible to reply an observed MD5 hash in ~16k connection
> attempts.

> 3)  Using the user name for the MD5 storage salt allows the MD5 stored
> hash to be used on a different cluster if the user used the same
> password.

> 4)  Using the user name for the MD5 storage salt allows the MD5 stored
> hash to be used on the _same_ cluster.

> 5)  Using the user name for the MD5 storage salt causes the renaming of
> a user to break the stored password.

What happened to "possession of the contents of pg_authid is sufficient
to log in"?  I thought fixing that was one of the objectives here.
        regards, tom lane

pgsql-hackers by date:

From: Bruce Momjian
Date: 04 March 2015, 20:43:39
Subject: Re: MD5 authentication needs help

From: Stephen Frost
Date: 04 March 2015, 20:56:09
Subject: Re: MD5 authentication needs help

Re: MD5 authentication needs help - Mailing list pgsql-hackers

Previous

Next