[38536] in bugtraq
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
daemon@ATHENA.MIT.EDU (Stephen Frost)
Fri Apr 22 14:27:17 2005
Date: Thu, 21 Apr 2005 17:33:54 -0400
From: Stephen Frost <sfrost@snowman.net>
To: Mike Fratto <mfratto@nwc.com>
Cc: "'Jim Knoble'" <jmknoble@pobox.com>, bugtraq@securityfocus.com
Message-ID: <20050421213354.GH29028@ns.snowman.net>
Mail-Followup-To: Mike Fratto <mfratto@nwc.com>,
'Jim Knoble' <jmknoble@pobox.com>, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="QBJnsLb0QyYEYRYK"
Content-Disposition: inline
In-Reply-To: <012e01c546b7$28eeb820$021f10ac@bitchin>
--QBJnsLb0QyYEYRYK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Mike Fratto (mfratto@nwc.com) wrote:
> Since the salt is known, it has no effect on the "keyspace" because you
> don't have to guess it. If there was no salt, then pre-computing a
> dictionary is a much smaller task.=20
That's the whole point of the discussion- the way Postgres's pg_shadow
stuff works the salt is known and *because* of that it might as well not
exist since it means that you can pre-compute the keyspace. Knowing the
salt means you can pre-compute the keyspace ahead of time. If you don't
know the salt until you've gained access then you'll have to wait till
then to begin computing the keyspace.
I suppose technically you could start pre-computing the keyspace before
then, but then it's a much larger keyspace which makes it much more
difficult.
Stephen
--QBJnsLb0QyYEYRYK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCaBxCrzgMPqB3kigRAlR6AJ4jUIxdf3kw3gaGQZtcFI/51Z1gmgCfcLOZ
j6vHFtu3RIihYAkBKro3j5k=
=x7r/
-----END PGP SIGNATURE-----
--QBJnsLb0QyYEYRYK--
