Why does PostgreSQL use md5 hashing when authenticating a user against a DB?

B

BonBon Slick2017-09-12 14:08:07

PostgreSQL

BonBon Slick, 2017-09-12 14:08:07

https://wiki.postgresql.org/wiki/Client_Authentication

A typical recommended setup for network access to the database takes the local LAN address and only allows clients who authenticate using a secure MD5 password.

As far as I know, md5 is already broken without problems using RainbowCrack.
What am I missing, please tell me?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

Melkij, 2017-09-12
@BonBonSlick

If your password transfer between the application and the DBMS can be intercepted, then you already have a problem and much more serious than the fact that the password can theoretically be guessed. (rainbow tables don't help much, because md5 is far from just a password)
If the traffic between the application and the database goes in the wild outside world, then you need the ssl* settings in postgresql.conf. Full TLSv1.2 buns are included and the password can be transmitted even with plaintext.

K

ky0, 2017-09-12
@ky0

Knowing the password of the DBMS user in normally configured systems will not give anything - no one opens the possibility of logging into the DBMS from anywhere, but only from specific, fairly fenced off places. Otherwise, what to say - SSZB.