Skip site navigation (1) Skip section navigation (2)

Re: [GENERAL] SHA1 on postgres 8.3

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Marko Kreen <markokr(at)gmail(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Florian Weimer <fweimer(at)bfk(dot)de>, David Fetter <david(at)fetter(dot)org>, Greg Sabino Mullane <greg(at)turnstep(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [GENERAL] SHA1 on postgres 8.3
Date: 2008-01-28 18:56:30
Message-ID: 200801281856.m0SIuUm05011@momjian.us (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-hackers
I am not thrilled about moving _some_ of pgcrypto into the backend ---
pgcrypto right now seems well designed and if we pull part of it out it
seems it will be less clear than what we have now.  Perhaps we just need
to document that md5() isn't for general use and some function in
pgcrypto should be used instead?

---------------------------------------------------------------------------

Marko Kreen wrote:
> On 1/21/08, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > > MD5 is broken in the sense that you can create two or more meaningful
> > > documents with the same hash.
> >
> > Note that this isn't actually very interesting for the purpose for
> > which the md5() function was put into core: namely, hashing passwords
> > before they are stored in pg_authid.
> 
> Note: this was bad idea.  The function that should have been
> added to core would be pg_password_hash(username, password).
> 
> Adding md5() lessens incentive to install pgcrypto or push/accept
> digest() into core and gives impression there will be sha1(), etc
> in the future.
> 
> Now users who want to store passwords in database (the most
> popular usage) will probably go with md5() without bothering
> with pgcrypto.  They probably see "Postgres itself uses MD5 too",
> without realizing their situation is totally different from
> pg_authid one.
> 
> It's like we have solution that is ACID-compliant 99% of the time in core,
> so why bother with 100% one.
> 
> -- 
> marko
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
> 
>                http://archives.postgresql.org

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

In response to

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2008-01-28 19:12:51
Subject: Re: [PATCHES] Friendly help for psql
Previous:From: Hans-Juergen SchoenigDate: 2008-01-28 18:44:58
Subject: Re: [PATCHES] Proposed patch: synchronized_scanning GUC variable

pgsql-general by date

Next:From: Douglas McNaughtDate: 2008-01-28 19:28:37
Subject: Re: close connection
Previous:From: Tom LaneDate: 2008-01-28 17:41:03
Subject: Re: Error after upgrade

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group