Re: [GENERAL] SHA1 on postgres 8.3

Magnus Hagander wrote:
> I think that claim is completely incorrect.
>
> A lot of people use the md5() function in PostgreSQL today to hash
> the passwords for the users of whatever webbapp they are running. It
> only uses one account to connect to PostgreSQL and handles the rest of
> the auth elsewhere in the app. These users would like to have sha1
> (and/or other securer hashes). And they would like it in -core, because
> their hosting company don't install the contrib modules.
>

Hi Magnus:

I don't think this is a compelling argument, and I mostly agree with Tom.

PHP, Perl and Java are just three languages at the tip of my tongue that
have built in support for MD5 and SHA1, and in all cases I can think of
in a few seconds (I might be missing something?), it's far more
desirable to do the MD5 / SHA1 in the language. If the document being
encoded is large, doing it in the client is more efficient from a
network transport perspective, as well as allowing ensuring that
performance cost is on the web side, not the database side. If the text
to be encoded requires security, then transmitting the password in clear
text to the server only to be MD5 / SHA1 summed is not a great solution,
as it involves transmission of the password. In both cases, I would do
it client side, inside the web app. So, I believe your argument that web
apps need it is faulty.

I think a legitimate use would involve around using such a function in
pl/pgsql. I can't think of a case where I've ever needed to do that.

Cheers,
mark

--
Mark Mielke <mark(at)mielke(dot)cc>