| From: | dmitriy(dot)davydov(at)deiteriy(dot)com |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Cc: | dmitriy(dot)davydov(at)deiteriy(dot)com |
| Subject: | BUG #14797: It's not safe to use MD5 |
| Date: | 2017-09-05 12:01:06 |
| Message-ID: | 20170905120106.25638.8076@wrigleys.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 14797
Logged by: Dmitriy Davydov
Email address: dmitriy(dot)davydov(at)deiteriy(dot)com
PostgreSQL version: 9.6.5
Operating system: CentOS
Description:
Hello.
Postgresql 9.6.5 , by default , database user passwords are stored as MD5
hashes (18.8 Encryption Options.
http://repo.postgrespro.ru/doc/pgsql/9.6.5/en/postgres-A4-fop.pdf). At the
moment, it's not safe to use MD5.
Unfortunately, Rolename is used as the salt.
(src/backend/commands/user.c
if (!pg_md5_encrypt(password, rolename, strlen(rolename),
encrypted_password)) )
This is also unsafe.
Payment Card Industry (PCI) Data Security Standard requires the use of hash
functions described in FIPS 180-4, such as SHA-256 and SHA-512.
Please make changes in future versions.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thom Brown | 2017-09-05 12:25:35 | Re: Can't read oprcode from remote pg_operator |
| Previous Message | Tom Lane | 2017-09-05 11:57:39 | Re: Can't read oprcode from remote pg_operator |