Home > mailing lists

Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres - Mailing list pgsql-general

From	Craig Ringer
Subject	Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres
Date	June 9, 2011 03:46:19
Msg-id	4DF04200.1010704@postnewspapers.com.au Whole thread Raw
In response to	Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres (Isak Hansen <isak.hansen@gmail.com>)
Responses	Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres (Bill Moran <wmoran@potentialtech.com>) Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres (Isak Hansen <isak.hansen@gmail.com>) Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres (Isak Hansen <isak.hansen@gmail.com>)
List	pgsql-general

Tree view

On 09/06/11 03:07, Isak Hansen wrote:

> While MD5 is considered broken for certain applications, it's still
> perfectly valid for auth purposes.

MD5 rainbow tables can be calculated quickly using services easily
available to anyone (eg: EC2) and rainbow tables for passwords up to 8
chars have been successfully used in demo and real attacks several times
in the last year. It's looking pretty shakey.

That said, _properly_ _salted_ md5 is still likely to be strong enough
for most people's likely attack scenarios for quite some time to come.
It's only unsalted md5 that's dangerously stupid to use now - and it was
never exactly a good idea.

If you do your own user/password storage with a "users" table in the
database or whatever, make sure you salt the passwords for encryption.

--
Craig Ringer

pgsql-general by date:

From: Adrian Klaver
Date: 08 June 2011, 23:55:03
Subject: Re: Converting uuid primary key column to serial int

From: Andrea Peri
Date: 09 June 2011, 06:14:10
Subject: Adding "quota user limit" using triggers

Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres - Mailing list pgsql-general

Previous

Next