| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Steve Atkins <steve(at)blighty(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Salt in encrypted password in pg_shadow |
| Date: | 2004-09-08 17:19:48 |
| Message-ID: | 20040908171948.GA30362@wolff.to |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Sep 08, 2004 at 00:33:39 -0400,
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> I've been hearing rumblings that MD5 and all other known crypto
> protocols are known vulnerable since the latest crypto symposiums.
> (Not that we didn't all suspect the NSA et al could break 'em, but
> now they've told us exactly how they do it.)
Things aren't currently that bad. So far people have found a way to find
two strings that give the same hash using MD5. They haven't yet found a way
to find a string which hashes to a given hash. SHA-0 was also shown to
have some weakness. From comments I have read, I don't think SHA-1 was
shown to have any weaknesses. One comment specifically mentioned that
the change made between SHA-0 and SHA-1 seems to have been made to address
the weakness found in SHA-0. I haven't read the source papers, so take this
all with a grain of salt.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Marlowe | 2004-09-08 17:21:31 | Re: import mysql database... |
| Previous Message | Jean-Luc Lachance | 2004-09-08 16:47:20 | Re: 'order by' in an insert into command |