Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Isak Hansen <isak(dot)hansen(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres
Date: 2011-06-09 03:46:08
Message-ID: 4DF04200.1010704@postnewspapers.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 09/06/11 03:07, Isak Hansen wrote:

> While MD5 is considered broken for certain applications, it's still
> perfectly valid for auth purposes.

MD5 rainbow tables can be calculated quickly using services easily
available to anyone (eg: EC2) and rainbow tables for passwords up to 8
chars have been successfully used in demo and real attacks several times
in the last year. It's looking pretty shakey.

That said, _properly_ _salted_ md5 is still likely to be strong enough
for most people's likely attack scenarios for quite some time to come.
It's only unsalted md5 that's dangerously stupid to use now - and it was
never exactly a good idea.

If you do your own user/password storage with a "users" table in the
database or whatever, make sure you salt the passwords for encryption.

--
Craig Ringer

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Andrea Peri 2011-06-09 06:14:00 Adding "quota user limit" using triggers
Previous Message Adrian Klaver 2011-06-08 23:54:50 Re: Converting uuid primary key column to serial int