On Tue, Feb 10, 2015 at 09:30:37PM -0500, Tom Lane wrote:
> I think it would be wise to take two steps back and think about what
> the threat model is here, and what we actually need to improve.
> Offhand I can remember two distinct things we might wish to have more
> protection against:
>
> * scraping of passwords off the wire protocol (but is that still
> a threat in an SSL world?). Better salting practice would do more
> than replacing the algorithm as such for this, IMO.
Agreed. In 2004 Greg Stark estimated that it would take only 64k
connection attempts to get a server-supplied reply of a salt already
seen that can be replayed:
http://www.postgresql.org/message-id/flat/200410071728.i97HS1a16128@candle.pha.pa.us#200410071728.i97HS1a16128@candle.pha.pa.us
If you have a few salts the number goes down further. I think the
32-bit salt length is the greatest risk to our existing MD5
implementation. While leaving MD5 has a theoretical benefit, using a
64-bit salt has a practical benefit.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ Everyone has their own god. +