Re: field with Password

From: Sam Mason <sam(at)samason(dot)me(dot)uk>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: field with Password
Date: 2009-02-04 18:38:46
Message-ID: 20090204183845.GX3008@frubble.xen.chris-lamb.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Wed, Feb 04, 2009 at 04:42:05PM +0000, Chris(dot)Ellis(at)shropshire(dot)gov(dot)uk wrote:
> If you want to be really secure, use both a md5 and sha1 hash, snice it
> has been proved you can generate hash collisions so you could use:
>
> insert into auth (user_id, salt, password) values
> (1,'blah',md5('blah' || 'test') || sha1('blah' || 'test')) ;

That sounds like a really *bad* idea to me; you've just given an
attacker two choices, MD5 is currently easier to attack than SHA1 but
that may change. If an attacker can find a password that hashes to the
same thing using one hash there's a reasonable chance it'll hash to the
same thing using the other and they will have broken your scheme (they
have 16 and 20 octets of state respectively, more than most passwords).

It would be much better just to use a stronger hash function to start
with.

--
Sam http://samason.me.uk/

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Simon Riggs 2009-02-04 18:42:27 Re: Pet Peeves?
Previous Message Mark Roberts 2009-02-04 18:38:20 Re: Pet Peeves?