Tom Lane wrote:
> "Greg Sabino Mullane" <greg@turnstep.com> writes:
> > I don't agree that we should just close discussion. Nobody seems
> > happy with the status quo, which is that we provide md5 but not
> > sha1,
>
> There may be a few people who are unhappy, but the above claim seems
> vastly overblown. md5 is sufficient for the purpose it is intended
> for in core postgres (namely, obscuring the true source text of
> passwords), and if you have needs much beyond that you'll soon be
> installing pgcrypto anyway.
I think that claim is completely incorrect.
A lot of people use the md5() function in PostgreSQL today to hash
the passwords for the users of whatever webbapp they are running. It
only uses one account to connect to PostgreSQL and handles the rest of
the auth elsewhere in the app. These users would like to have sha1
(and/or other securer hashes). And they would like it in -core, because
their hosting company don't install the contrib modules.
//Magnus
