| From: | "Meredith L(dot) Patterson" <mlp(at)osogato(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Jim Michaels <jmichae3(at)yahoo(dot)com>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #4876: author of MD5 says it's seriously broken - hash collision resistance problems |
| Date: | 2009-06-24 11:27:11 |
| Message-ID: | 4A420D8F.1000500@osogato.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Magnus Hagander wrote:
> Using MD5 for passwords doesn't, afaik, actually require
> collision-resistance. It requires resistance against preimage-attacks,
> which there are none for MD5. At least not yet.
Marc Stevens et al have a chosen prefix attack on MD5 (similar to a
second preimage attack, but slightly weaker) which they've successfully
used to forge root CA certs, using a cluster of PS3s. Cf. their
presentation at 25c3 last December.
>> this has implications for storing passwords as MD5 hashes. My
>>
>
> That would be the only system use of MD5. What implications are those?
>
> We might want to consider using a safer hash for the password storage at
> some point, but from what I gather it's not really urgent for *that* use.
>
It would be a lot more urgent if we weren't salting, but IIRC we are.
Cheers,
--mlp
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2009-06-24 11:45:04 | Re: BUG #4877: LDAP auth allows empty password string |
| Previous Message | Heikki Linnakangas | 2009-06-24 10:38:24 | Re: psql: FATAL: the database system is in recovery mode |