Skip site navigation (1) Skip section navigation (2)

Re: [GENERAL] SHA1 on postgres 8.3

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Greg Sabino Mullane" <greg(at)turnstep(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [GENERAL] SHA1 on postgres 8.3
Date: 2008-04-02 15:49:28
Message-ID: 20080402174928.0e6d2f81@mha-laptop (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-hackers
Tom Lane wrote:
> "Greg Sabino Mullane" <greg(at)turnstep(dot)com> writes:
> > I don't agree that we should just close discussion. Nobody seems
> > happy with the status quo, which is that we provide md5 but not
> > sha1,
> 
> There may be a few people who are unhappy, but the above claim seems
> vastly overblown.  md5 is sufficient for the purpose it is intended
> for in core postgres (namely, obscuring the true source text of
> passwords), and if you have needs much beyond that you'll soon be
> installing pgcrypto anyway.

I think that claim is completely incorrect.

A lot of people use the md5() function in PostgreSQL today to hash
the passwords for the users of whatever webbapp they are running. It
only uses one account to connect to PostgreSQL and handles the rest of
the auth elsewhere in the app. These users would like to have sha1
(and/or other securer hashes). And they would like it in -core, because
their hosting company don't install the contrib modules.

//Magnus

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2008-04-02 15:50:00
Subject: Re: varadic patch
Previous:From: Bruce MomjianDate: 2008-04-02 15:48:02
Subject: Re: varadic patch

pgsql-general by date

Next:From: carty mcDate: 2008-04-02 15:54:25
Subject: Re: dblink ,dblink_exec not participating in a Transaction??
Previous:From: Tom LaneDate: 2008-04-02 15:38:31
Subject: Re: [GENERAL] SHA1 on postgres 8.3

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group