On Mon, Nov 4, 2013 at 12:04 PM, John Arbash Meinel <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 2013-11-04 17:52, roger peppe wrote: >> There's no point in salting the agent passwords, and we can't >> easily change things to salt the user passwords until none of the >> command line tools talk directly to mongo, so I'm +1 on john's >> patch for now. > > We can absolutely salt both. *Salt* is all about reading the salt from > what you've stored in the DB and using that to compute the hash. It is > simply to prevent rainbow attacks (precompute the hash of 1M common > user passwords and compare it to the content in the DB.)
Roger was talking about the agent passwords, which you described as having passwords that are "nice long random strings". There's no "common user password" in that case. gustavo @ http://niemeyer.net -- Juju-dev mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev
