On Wed, Oct 10, 2012 at 11:41 AM, Heikki Linnakangas
<hlinnakangas@vmware.com> wrote:
> 1. Salt length. Greg Stark calculated the odds of salt collisions here:
> http://archives.postgresql.org/pgsql-hackers/2004-08/msg01540.php. It's not
> too bad as it is, and as Greg pointed out, if you can eavesdrop it's likely
> you can also hijack an already established connection. Nevertheless I think
> we should make the salt longer, say, 16 bytes.
Fwiw that calculation was based on the rule of thumb that a collision
is likely when you have sqrt(hash space) elements. Wikipedia has a
better formula which comes up with 77,163.
For 16 bytes that formula gives 2,171,938,135,516,356,249 salts before
you expect a collision.
--
greg