| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Mark R(dot) Dingee" <mark(dot)dingee(at)cox(dot)net> |
| Cc: | pgsql-sql(at)postgresql(dot)org, mario(dot)splivalo(at)mobart(dot)hr |
| Subject: | Re: PGSQL encryption functions |
| Date: | 2005-11-02 14:39:52 |
| Message-ID: | 5332.1130942392@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
"Mark R. Dingee" <mark(dot)dingee(at)cox(dot)net> writes:
> The script I'm using to "break" md5 presumes that the cracker knows the 3
> elements being concatenated together to form the plain-text sting which is
> then passed into md5. The method I'm using then begins running through
> various permutations. Do you believe that the methodology is appropriate or
> that I'm being a bit paranoid?
Well, this is a fundamentally insecure way of using *any* crypto hash method.
You're blaming MD5 for the fact that you're misusing it.
There has to be some component of the hash input that the attacker
doesn't know and can't trivially guess. Adding a randomly chosen "salt"
string is one common way to do that.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Blixt | 2005-11-02 14:40:50 | Function with dynamic command (EXECUTE) not working |
| Previous Message | Moritz Bayer | 2005-11-02 14:23:18 | Re: function, that uses different table(names) |