On 08/15/2012 06:48 AM, Tom Lane wrote:
>> On Wed, Aug 15, 2012 at 6:11 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>>> Is there a TODO here?
> If anybody's concerned about the security of our password storage,
> they'd be much better off working on improving the length and randomness
> of the salt string than replacing the md5 hash per se.
Or change to an md5 HMAC rather than straight md5 with salt. Last I
checked (which admittedly was a while ago) there were still no known
cryptographic weaknesses associated with an HMAC based on md5.
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support
In response to
pgsql-hackers by date
|Next:||From: Andrew Dunstan||Date: 2012-08-15 15:37:04|
|Subject: Re: sha1, sha2 functions into core?|
|Previous:||From: Tom Lane||Date: 2012-08-15 14:05:54|
|Subject: Re: Don't allow relative path for copy from file|