Network Security: Detailed info on RE: [HACKERS] Postgres: pg_hba.conf, md5, pg

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Bugtraq

[Top] [All Lists]

RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

from [Mike Fratto] Network Security

[Permanent Link]

Subject:	RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date:	Thu, 21 Apr 2005 17:57:21 -0400

That's the whole point of the discussion- the way Postgres's 
pg_shadow stuff works the salt is known and *because* of that 
it might as well not exist since it means that you can 
pre-compute the keyspace.


I see your point. I don't know anything about postgres. I don't use it. But
if someone can get to the pg_hba.conf file (I assume (hope) it is read/write
by the process owner or root only?) then your screwed anyway. So while there
may be better ways to store and use passwords, perhaps in light of the root
of the problem (getting to the file) the fore-knowledge of a salt isn't that
important. If an admin created a "strong" password (whatever that means),
then pre-computation won't help an attacker get it. At worst for the admon,
pre-computation will shorten the attackers time to know if the password can
be broken or not. At best it might slow them down a bit (but not really). 

I dunno.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, (continued) Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Lance James Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Tino Wildenhain Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted, Rod Taylor Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted, Tino Wildenhain Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted, Michael Samuel Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Jim Knoble RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Mike Fratto Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Stephen Frost RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Mike Fratto Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Stephen Frost RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Mike Fratto <= Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Jim Knoble Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Josh Berkus

Previous by Date:	RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Mark Senior
Next by Date:	RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Mike Fratto
Previous by Thread:	Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Stephen Frost
Next by Thread:	Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Jim Knoble
Indexes:	[Date] [Thread] [Top] [All Lists]