| From: | Svenne Krap <svenne(at)krap(dot)dk> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [GENERAL] SHA1 on postgres 8.3 |
| Date: | 2008-04-03 17:07:56 |
| Message-ID: | 47F50EEC.8070008@krap.dk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
Mark Mielke wrote:
>> More two or even three different hashes with different collion-points
>> will strongly increase the security.
> No it doesn't unless you are thinking about a security through
> obscurity argument.
It is really the same argument on all your questions....
If I have a simple table now
ID serial
Username varchar
Password varchar
I currently save only md5(id || username || 'password')* into password,
if I had access to sha1 (for example) i would add another password
column so, having for example
ID serial
Username varchar
Password_md5 varchar
Password_sha1 varchar
No matter how you see it, I get more bits of hash to check against.
I would drop md5 totally and use sha1 and ripemd-160 if possible.. but
currently i use only md5 as it is the only available one.. Loading
pgcrypto is overkill for something as simple as hash-functions.
Svenne
* I prepend the id and the username to guard users with weak passwords
against known hashvalues (rainbow tables) should the box ever get
comprised ... if you are in doubt about the value of this, try google
for 40e94aa51dc5c0ccc5aad4e6aefdde2a and guess the secret password...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2008-04-03 17:08:43 | Re: PG 8.3.x doesn't get build |
| Previous Message | Andrew Dunstan | 2008-04-03 17:06:25 | Re: modules |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-04-03 17:09:58 | Re: [HACKERS] ANALYZE getting dead tuple count hopelessly wrong |
| Previous Message | Tom Lane | 2008-04-03 17:07:44 | Re: Small TRUNCATE glitch |