RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 04/21/05

  • Next message: Mike Fratto: "RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords" 
    Date: Thu, 21 Apr 2005 15:31:42 -0600
To: "Mike Fratto" <mfratto@nwc.com>

    It also slows down cracking numerous passwords in parallel using a
    dictionary/heuristic approach a la john the ripper - without a salt, you
    can calculate the hash of each password guess once, and then scan
    through an entire shadow file for the hash. With salts, you have to
    hash each guess once per user in the list, or at least per user you're
    interested in attacking.

    In the case of the postgres passwords, the user name seems to act as a
    sort of "public" salt. Knowing some user IDs, you might precompute a
    set of hashes for each targetted user, in anticipation of getting your
    hands on the password hashes later.

    Mark

    > -----Original Message-----
    > From: Mike Fratto

    > I am pretty sure the intent the salt is to make
    > pre-computation of a dictionaries infeasable due to storage
    > requirements. It doesn't really add to the keyspace because
    > the salt is known and doesn't have to be guessed.

    --- end of sensible content ---

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

  • Next message: Mike Fratto: "RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords"

    Relevant Pages

    • Re: Hashed password secure?
      ... > Consider the way that a typical password hash attack program works. ... > the salt, and then it hashes the dictionary once for each unique salt value ... So the attacker has to hash the dictionary 2^16 ... want to not store his dictionaries, he'd have to try on average half his ...
      (sci.crypt)
    • Hash and Salt
      ... We have a .NET application that uses salt and hash to store encrypted ... we need to receive "new" passwords from ... an informix database which will be sending us the original password unhashed ...
      (microsoft.public.sqlserver.programming)
    • Re: Hash MD5, Sha1 and Length
      ... These are standard cryptographic methods for protecting bulk passwords ... algorithm = new MD5CryptoServiceProvider; ... The salt prevents two people using the same password having the same ... hash and also stops an attacker pre-calculating hashes for commonly ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Putting passwords in a properties file?
      ... (a long time ago it was a lame 12-bit salt, ... without the equivalent of shadow passwords would be "toy security"? ... hashedWord = hash ... it invalidates pre-calculated dictionaries. ...
      (comp.lang.java.programmer)
    • Re: A question on an article dealing with pass phrase and keys
      ... passwords) is not to make naive brute-forcing any more difficult. ... The attacker knows the hash value and the salt. ...
      (sci.crypt)