[38510] in bugtraq
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
daemon@ATHENA.MIT.EDU (Stephen Frost)
Thu Apr 21 17:25:14 2005
Date: Thu, 21 Apr 2005 16:50:47 -0400
From: Stephen Frost <sfrost@snowman.net>
To: Mike Fratto <mfratto@nwc.com>
Cc: "'Jim Knoble'" <jmknoble@pobox.com>, bugtraq@securityfocus.com
Message-ID: <20050421205047.GG29028@ns.snowman.net>
Mail-Followup-To: Mike Fratto <mfratto@nwc.com>,
'Jim Knoble' <jmknoble@pobox.com>, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="v4PrGfol6wGsg/Ra"
Content-Disposition: inline
In-Reply-To: <00ed01c546a7$e067d0f0$021f10ac@bitchin>
--v4PrGfol6wGsg/Ra
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Mike Fratto (mfratto@nwc.com) wrote:
> > I thought the idea of the salt was to aid in expanding the=20
> > keyspace. Even though the salt is known (in traditional Unix=20
> > passwd/shadow/master.passwd databases,=20
>=20
> I am pretty sure the intent the salt is to make pre-computation of a
> dictionaries infeasable due to storage requirements. It doesn't really add
> to the keyspace because the salt is known and doesn't have to be guessed.
The salt isn't always known... I don't know how an unprivledged user on
a system w/ /etc/shadow could get at it anyway. I'm sure alot of people
would be very anxious to know if you know of a way to do that...
Stephen
--v4PrGfol6wGsg/Ra
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCaBInrzgMPqB3kigRAq8nAKCU4ufcOco+mop/t0Lic6S5SiUPgACeND9m
tklMFotHeW81u8+NeI6P7UE=
=QFt6
-----END PGP SIGNATURE-----
--v4PrGfol6wGsg/Ra--
