Re: Rejecting weak passwords

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: marcin mank <marcin.mank@gmail.com>
Cc: Marko Kreen <markokr@gmail.com>, Albe Laurenz <laurenz.albe@wien.gv.at>, Andrew Dunstan <andrew@dunslane.net>, mlortiz <mlortiz@uci.cu>, Magnus Hagander <magnus@hagander.net>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2009-09-28T23:26:52Z
Lists: pgsql-hackers
marcin mank <marcin.mank@gmail.com> writes:
>> The case that ENCRYPTED
>> protects against is database superusers finding out other users'
>> original passwords, which is a security issue to the extent that those
>> users have used the same/similar passwords for other systems.

> I just want to note that md5 is not much of a protection against this
> case these days. Take a look at this:
> http://www.golubev.com/hashgpu.htm

> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> of up to 8 chars in length.

Yeah, but that will find you a password that hashes to the same thing.
Not necessarily the same password.  It'll get you into the Postgres
DB just fine, which you don't care about because you're already a
superuser there.  It won't necessarily get you into the assumed
third-party systems.

			regards, tom lane