Re: [GENERAL] SHA1 on postgres 8.3

Svenne Krap wrote:
> Mark Mielke wrote:
>> This presumes that better hashes truly exist. It is basic math to
>> show that all hashes will include collisions. Ignoring the
>> possibility that one hash has theoretical better distribution for
>> real documents, the real "benefit" of SHA-1 over MD5, is that it has
>> more bits. The "ultimate" solution here, is to store the original
>> using the "full copy" hash technique, with 0 chance of collision.
>> This extreme defeats the purpose of a hash to start with.
>>
>> Why does PostgreSQL need something better than md5 as part of core?
>> Bragging rights?
> Having more than one hash algorithm significantly decreases the risk
> of (common) collisions.

No it doesn't. More bits reduces risk of collisions. Additional
algorithms just muddy the waters.

> As a non-developer (who does track most messages on the list anyways),
> I surely find the SHA* functions will add significantly value and they
> should be easy to install (well-defined functions) with no
> maintainance afterwards.
> Hashes are an absolute minimum for keeping passwords stored somehat
> safely in a database.

It has yet to be proven that MD5 is insufficient for this purpose.
"Significant value" being what?

> More two or even three different hashes with different collion-points
> will strongly increase the security.

No it doesn't unless you are thinking about a security through obscurity
argument.

Cheers,
mark

--
Mark Mielke <mark(at)mielke(dot)cc>