Re: Encrypted column

On 6/5/07, Brian Mathis <brian(dot)mathis(at)gmail(dot)com> wrote:
> On 6/5/07, Marko Kreen <markokr(at)gmail(dot)com> wrote:
> > Both md5 and sha1 are bad for passwords, no salt and easy to
> > bruteforce - due to the tiny amount of data in passwords.
> >
> > Proper ways is to use crypt() function from pgcrypto module.
> > Due to historical accident is has bad name which hints at
> > encryption, actually its only purpose is to hash passwords.
> > Read more in pgcrypto doc.
>
> If you salt them yourself, there's no problem with md5 or sha1, and
> they are arguably more secure than the old "crypt" call. Most modern
> linuxes use md5 for password storage.

No, both md5 and sha1 are actually easier to bruteforce than
the old DES-based crypt. Ofcourse that does not mean that
old DES-crypt is good idea. Pgcrypto's crypt() supports bit
more modern md5crypt and bf-crypt algoriths which give much
higher security margin. It can be argued that bf-crypt is the
"state-of-the-art" algorithm for password hashing.

--
marko