Bugtraq mailing list archives
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
From: Lance James <lancej () securescience net>
Date: Thu, 21 Apr 2005 12:48:04 -0700
Joshua D. Drake wrote:
Simply put, MD5 is no longer strong enough for protecting secrets. It's just too easy to brute-force. SHA1 is ok for now, but it's days are numbered as well. I think it would be good to alter SHA1 (or something stronger) as an alternative to MD5, and I see no reason not to use a random salt instead of username.If you aren't paying close enough attention to your database server tosee that someone is trying to brute force your MD5 password you have bigger problems.
The comments on md5 and sha1 are both inaccurate if you're comparing them. Encrypted passwords are as strong as the design of the password. In some cases, SHA-1 is a faster brute force because SHA-1 is a faster hash. There are two issues here. Using SHA-1 to hash a password, and the strength of a password. If the implementation of SHA-1 is not effective, there could be weaknesses that enable reducing the time required to perform exhaustive/dictionary attacks against sha-1 protected password.
I'm out of context, but I had to make some corrections. -- Best Regards, Lance James Secure Science Corporation www.securescience.com Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Have Phishers stolen your customers' logins? Find out with DIA https://slam.securescience.com/signup.cgi - it's free!
Current thread:
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, (continued)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruno Wolff III (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Antoine Martin (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Stephen Frost (Apr 23)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Antoine Martin (Apr 23)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Joshua D. Drake (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Lance James (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tino Wildenhain (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Rod Taylor (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Tino Wildenhain (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Michael Samuel (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim Knoble (Apr 21)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 22)