Bugtraq mailing list archives
Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Wed, 20 Apr 2005 15:36:53 -0400
Stephen Frost wrote:
The md5 hash which is generated for and stored in pg_shadow does not use a random salt but instead uses the username which can generally be determined ahead of time (especially for the 'postgres' superuser account).
I noted that this was a problem back in August, 2002: http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php Then, as now, the developers weren't very concerned. Regards, David.
Current thread:
- Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 20)
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 20)
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruce Momjian (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruno Wolff III (Apr 22)
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 20)