Re: A stab at implementing better password hashing, with mixed results
Peter Bex <peter.bex@xs4all.nl>
From: Peter Bex <Peter.Bex@xs4all.nl>
To: PostgreSQL hackers <pgsql-hackers@postgresql.org>
Date: 2012-12-27T15:39:13Z
Lists: pgsql-hackers
On Thu, Dec 27, 2012 at 12:31:08PM -0300, Claudio Freire wrote: > On Thu, Dec 27, 2012 at 11:46 AM, Peter Bex <Peter.Bex@xs4all.nl> wrote: > > > > Implementing a more secure challenge-response based algorithm means > > a change in the client-server protocol. Perhaps something like SCRAM > > (maybe through SASL) really is the way forward for this, but that > > seems like quite a project and it seems to dictate how the passwords are > > stored; it requires a hash of the PBKDF2 algorithm to be stored. > > It would be nonsense to do it in any other way... protecting the > password store and not the exchange would just shift the weak spot. Yeah, that's why I was being rather pessimistic about the patch I posted. However, SCRAM will only protect the password; SSL is still required to protect against connection hijacking. Cheers, Peter -- http://sjamaan.ath.cx -- "The process of preparing programs for a digital computer is especially attractive, not only because it can be economically and scientifically rewarding, but also because it can be an aesthetic experience much like composing poetry or music." -- Donald Knuth