On Tue, Feb 10, 2015 at 09:30:37PM -0500, Tom Lane wrote: > I think it would be wise to take two steps back and think about what > the threat model is here, and what we actually need to improve. > Offhand I can remember two distinct things we might wish to have more > protection against: > > * scraping of passwords off the wire protocol (but is that still > a threat in an SSL world?). Better salting practice would do more > than replacing the algorithm as such for this, IMO.
Agreed. In 2004 Greg Stark estimated that it would take only 64k connection attempts to get a server-supplied reply of a salt already seen that can be replayed: http://www.postgresql.org/message-id/flat/200410071728.i97hs1a16...@candle.pha.pa.us#200410071728.i97hs1a16...@candle.pha.pa.us If you have a few salts the number goes down further. I think the 32-bit salt length is the greatest risk to our existing MD5 implementation. While leaving MD5 has a theoretical benefit, using a 64-bit salt has a practical benefit. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers