Skip site navigation (1) Skip section navigation (2)

Re: [GENERAL] SHA1 on postgres 8.3

From: Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Greg Sabino Mullane <greg(at)turnstep(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [GENERAL] SHA1 on postgres 8.3
Date: 2008-04-02 20:34:09
Message-ID: 47F3EDC1.2090105@mark.mielke.cc (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-hackers
Magnus Hagander wrote:
> I think that claim is completely incorrect.
>
> A lot of people use the md5() function in PostgreSQL today to hash
> the passwords for the users of whatever webbapp they are running. It
> only uses one account to connect to PostgreSQL and handles the rest of
> the auth elsewhere in the app. These users would like to have sha1
> (and/or other securer hashes). And they would like it in -core, because
> their hosting company don't install the contrib modules.
>   

Hi Magnus:

I don't think this is a compelling argument, and I mostly agree with Tom.

PHP, Perl and Java are just three languages at the tip of my tongue that 
have built in support for MD5 and SHA1, and in all cases I can think of 
in a few seconds (I might be missing something?), it's far more 
desirable to do the MD5 / SHA1 in the language. If the document being 
encoded is large, doing it in the client is more efficient from a 
network transport perspective, as well as allowing ensuring that 
performance cost is on the web side, not the database side. If the text 
to be encoded requires security, then transmitting the password in clear 
text to the server only to be MD5 / SHA1 summed is not a great solution, 
as it involves transmission of the password. In both cases, I would do 
it client side, inside the web app. So, I believe your argument that web 
apps need it is faulty.

I think a legitimate use would involve around using such a function in 
pl/pgsql. I can't think of a case where I've ever needed to do that.

Cheers,
mark

-- 
Mark Mielke <mark(at)mielke(dot)cc>


In response to

pgsql-hackers by date

Next:From: Tom LaneDate: 2008-04-02 20:48:19
Subject: Re: bug in float8in()
Previous:From: Tom LaneDate: 2008-04-02 20:29:31
Subject: Re: [GENERAL] ANALYZE getting dead tuple count hopelessly wrong

pgsql-general by date

Next:From: Tom LaneDate: 2008-04-02 20:53:09
Subject: Re: [GENERAL] SHA1 on postgres 8.3
Previous:From: Tom LaneDate: 2008-04-02 20:29:31
Subject: Re: [GENERAL] ANALYZE getting dead tuple count hopelessly wrong

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group