From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
---|---|
To: | "Mark R(dot) Dingee" <mark(dot)dingee(at)cox(dot)net> |
Cc: | pgsql-sql(at)postgresql(dot)org |
Subject: | Re: PGSQL encryption functions |
Date: | 2005-11-02 18:59:30 |
Message-ID: | 20051102185930.GA10108@wolff.to |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
On Tue, Nov 01, 2005 at 17:00:50 -0500,
"Mark R. Dingee" <mark(dot)dingee(at)cox(dot)net> wrote:
> Bruno,
>
> I use an authenticate() function as a part of state maintenance in a PHP web
> app. In the function, I generate an encrypted token that is then used in the
> validation process on subsequent pages. md5 works, but I've been able to
> brute-force crack it very quickly, so I'm looking for an alternative. Any
> thoughts would be greatly appreciated.
This isn't a problem with MD5. While MD5 does have some theoretical weaknesses,
they aren't really an issue in this case.
Why are you using a hash at all? If you are using the hash as a key, why not
just use a random string instead? The web browser could be handed a session id
and random string and on the server you would have a table indexed by session
ids that includes the random string.
On many systems you can use /dev/urandom as a source of random data. Since
you don't seem to be concerned about sniffing, /dev/random is probably overkill
and having it block when low on entropy would probably be a problem for you.
From | Date | Subject | |
---|---|---|---|
Next Message | Shane | 2005-11-02 19:40:01 | Designing a stock portfolio database |
Previous Message | Tom Lane | 2005-11-02 14:54:52 | Re: function, that uses different table(names) |