Stephen Frost <[EMAIL PROTECTED]> writes: > I have some hopes that pointing out the rather large problem with the > md5 authentication mechanism in pg_hba.conf will lead them to discourage > it's use and thus reduce the occourances of the salt being made > available to the user giving more weight to the usefullness of having it > be a random salt. Additionally, it's been a few years, perhaps > viewpoints have changed.
Salts are always given to the user, that's how they work. They're not secret. The issue pointed out back then was that lots of hosts would have usernames with the same name, namely "postgres". So a distributed attack would be able to use a dictionary attack if it were targeting just the "postgres" user on many hosts. That was deemed not a threat model worth worrying about. It's pretty unlikely someone would have access to the md5sums for many different hosts. -- greg ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
