Thread: removal of md5 from example code
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/10/static/citext.html Description: The documentation at https://www.postgresql.org/docs/current/static/citext.html shows an example using md5 for password hashes. This is generally a bad practice and not relevant to the feature documented. I recommend removing the password column from this example or replacing the md5 hash with something more secure (a secure hash algorithm with a salt).
On 1/17/18 11:14, PG Doc comments form wrote: > The documentation at > https://www.postgresql.org/docs/current/static/citext.html shows an example > using md5 for password hashes. This is generally a bad practice and not > relevant to the feature documented. > > I recommend removing the password column from this example or replacing the > md5 hash with something more secure (a secure hash algorithm with a salt). We don't have any other hash functions built in and exposed at the SQL level. (Maybe that is a problem.) Do you have any other ideas how to rewrite that example? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
I think I get it, now.
Is the reason for including the `pass` in the example so that the documentation can demonstrate `citext` along side case-sensitive text?
If so, I struggle to come up with anything more obvious than a password hash for a case where case-sensitive comparison of text is necessary. The only other thing that comes to mind is an external system identifier like a Salesforce object id of a user. That would not be as universally obvious an example of case-sensitivity to all PostgreSQL users..
Is the reason for including the `pass` in the example so that the documentation can demonstrate `citext` along side case-sensitive text?
If so, I struggle to come up with anything more obvious than a password hash for a case where case-sensitive comparison of text is necessary. The only other thing that comes to mind is an external system identifier like a Salesforce object id of a user. That would not be as universally obvious an example of case-sensitivity to all PostgreSQL users..
On Tue, Jan 30, 2018 at 10:02 PM, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
On 1/17/18 11:14, PG Doc comments form wrote:
> The documentation at
> https://www.postgresql.org/docs/current/static/citext. html shows an example
> using md5 for password hashes. This is generally a bad practice and not
> relevant to the feature documented.
>
> I recommend removing the password column from this example or replacing the
> md5 hash with something more secure (a secure hash algorithm with a salt).
We don't have any other hash functions built in and exposed at the SQL
level. (Maybe that is a problem.) Do you have any other ideas how to
rewrite that example?
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On 1/17/18 11:14, PG Doc comments form wrote: > The documentation at > https://www.postgresql.org/docs/current/static/citext.html shows an example > using md5 for password hashes. This is generally a bad practice and not > relevant to the feature documented. > > I recommend removing the password column from this example or replacing the > md5 hash with something more secure (a secure hash algorithm with a salt). This has been fixed in the master branch. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services