Re: field with Password - Mailing list pgsql-general

From Sam Mason
Subject Re: field with Password
Date
Msg-id 20090204183845.GX3008@frubble.xen.chris-lamb.co.uk
Whole thread Raw
In response to Re: field with Password  (Chris.Ellis@shropshire.gov.uk)
List pgsql-general
On Wed, Feb 04, 2009 at 04:42:05PM +0000, Chris.Ellis@shropshire.gov.uk wrote:
> If you want to be really secure, use both a md5 and sha1 hash, snice it
> has been proved you can generate hash collisions so you could use:
>
>         insert into auth (user_id, salt, password) values
> (1,'blah',md5('blah' || 'test') || sha1('blah' || 'test')) ;

That sounds like a really *bad* idea to me; you've just given an
attacker two choices, MD5 is currently easier to attack than SHA1 but
that may change.  If an attacker can find a password that hashes to the
same thing using one hash there's a reasonable chance it'll hash to the
same thing using the other and they will have broken your scheme (they
have 16 and 20 octets of state respectively, more than most passwords).

It would be much better just to use a stronger hash function to start
with.


--
  Sam  http://samason.me.uk/

pgsql-general by date:

Previous
From: Grzegorz Jaśkiewicz
Date:
Subject: Re: Pet Peeves?
Next
From: Simon Riggs
Date:
Subject: Re: Pet Peeves?