On Sat, 24 Nov 2012 11:05:38 +0100 "Vlad K." <v...@haronmedia.com> wrote: > > On 11/24/2012 10:15 AM, Rafal Pietrak wrote: > > Some improvement in passwords safety could be gained, if the database > > table access methods (e.g. SELECT...) provided means to limit that > > access to just one entry at a time, and return results only when > > (password) column hash was equal for a single entry. e.g. information is > > not leaking when password dont' match. > > But what about situations where the attackers gained access to the > database itself or faulty discs that got replaced? Isn't just having a > strong hash a better solution? And by strong I mean a bcrypt based or > similar approach that requires significant time to calculate a single hash.
The best defense from this kind of attack is PKI. The client generates a key pair and installs the public key in the application database, keeping the private key to use for auth. Of course, this requires a level of technical knowledge beyond what most users posses, which is a damn shame. -- Bill Moran <wmo...@potentialtech.com> -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
