Re: [GENERAL] SHA1 on postgres 8.3 - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: [GENERAL] SHA1 on postgres 8.3 |
| Date | |
| Msg-id | 200804020306.m3236QQ00410@momjian.us Whole thread Raw |
| In response to | Re: [GENERAL] SHA1 on postgres 8.3 (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: [GENERAL] SHA1 on postgres 8.3
("Greg Sabino Mullane" <greg@turnstep.com>)
Re: [GENERAL] SHA1 on postgres 8.3 (Magnus Hagander <magnus@hagander.net>) |
| List | pgsql-hackers |
There isn't enough agreement to move some things from pgcrypto to the core so this thread is being removed from the patch queue. --------------------------------------------------------------------------- Bruce Momjian wrote: > > I am not thrilled about moving _some_ of pgcrypto into the backend --- > pgcrypto right now seems well designed and if we pull part of it out it > seems it will be less clear than what we have now. Perhaps we just need > to document that md5() isn't for general use and some function in > pgcrypto should be used instead? > > --------------------------------------------------------------------------- > > Marko Kreen wrote: > > On 1/21/08, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > > MD5 is broken in the sense that you can create two or more meaningful > > > > documents with the same hash. > > > > > > Note that this isn't actually very interesting for the purpose for > > > which the md5() function was put into core: namely, hashing passwords > > > before they are stored in pg_authid. > > > > Note: this was bad idea. The function that should have been > > added to core would be pg_password_hash(username, password). > > > > Adding md5() lessens incentive to install pgcrypto or push/accept > > digest() into core and gives impression there will be sha1(), etc > > in the future. > > > > Now users who want to store passwords in database (the most > > popular usage) will probably go with md5() without bothering > > with pgcrypto. They probably see "Postgres itself uses MD5 too", > > without realizing their situation is totally different from > > pg_authid one. > > > > It's like we have solution that is ACID-compliant 99% of the time in core, > > so why bother with 100% one. > > > > -- > > marko > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 4: Have you searched our list archives? > > > > http://archives.postgresql.org > > -- > Bruce Momjian <bruce@momjian.us> http://momjian.us > EnterpriseDB http://postgres.enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > > ---------------------------(end of broadcast)--------------------------- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
pgsql-hackers by date: