Postgres Pro
Downloads
Home   >   mailing lists

Thread: sha1 function

sha1 function

From
Martin Marques
Date:
We are at the moment planning on passing some passwords that are plain
texted in our DB to some encrypted form as now they will be used for
processes that require better security measures.

We started looking at md5() but found that it's easy to crack and one of
the systems uses CHAP authentication, and so SHA1 hashing.

So, two questions arise.

1) Is MD5's weakness true?

2) Is there any sha1() functions in PostgreSQL?

--
  21:50:04 up 2 days,  9:07,  0 users,  load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués         |   SELECT 'mmarques' ||
Centro de Telemática        |       '@' || 'unl.edu.ar';
Universidad Nacional        |   DBA, Programador,
     del Litoral             |   Administrador
---------------------------------------------------------

Re: sha1 function

From
Richard Huxton
Date:
Martin Marques wrote:
> We are at the moment planning on passing some passwords that are plain
> texted in our DB to some encrypted form as now they will be used for
> processes that require better security measures.
>
> We started looking at md5() but found that it's easy to crack and one of
> the systems uses CHAP authentication, and so SHA1 hashing.
>
> So, two questions arise.
>
> 1) Is MD5's weakness true?

Well (and I'm not a security expert so please check details), there are
some issues with MD5:
1. There were some recent breakthroughs in generating multiple documents
that match a given MD5 hash. This is less of a threat to passwords and
more to document forgery.
2. It's practical nowadays to pre-calculate "rainbow tables" to cover
all possible combinations of a short password (hence the use of a "salt"
to extend the password length).
3. You can't get from the hash back to a password easily. So - it's no
use for storing passwords for other systems, just for checking supplied
passwords.

What you need to ask is what you're protecting against. If someone has
access to the database, have they also gained access to the process that
uses these passwords, so allowing them to watch the unencrypted password
be tested?

> 2) Is there any sha1() functions in PostgreSQL?

See contrib/pgcrypto in the source distribution or the equivalent in
whatever package you use.

--
   Richard Huxton
   Archonet Ltd

Re: sha1 function

From
"Phoenix Kiula"
Date:
On 01/10/2007, Martin Marques <martin@bugs.unl.edu.ar> wrote:
>
> 1) Is MD5's weakness true?


Yes, but not really for using in a password functionality. You are
very unlikely to repeat a password but in any case you will have the
user ID to make it unique.


> 2) Is there any sha1() functions in PostgreSQL?
>


It doesn't come with the default setup, but it's very simple to get.
Take a look at this: http://snipr.com/pg_sha1