Re: [GENERAL] SHA1 on postgres 8.3

From: Florian Weimer <fweimer(at)bfk(dot)de>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: David Fetter <david(at)fetter(dot)org>, Greg Sabino Mullane <greg(at)turnstep(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [GENERAL] SHA1 on postgres 8.3
Date: 2008-01-21 15:38:28
Message-ID: 82lk6jp4sr.fsf@mid.bfk.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

* Tom Lane:

>> MD5 is broken in the sense that you can create two or more meaningful
>> documents with the same hash.
>
> Note that this isn't actually very interesting for the purpose for
> which the md5() function was put into core: namely, hashing passwords
> before they are stored in pg_authid.

No doubt about that. But there are checklists out there, and if you
use MD5 at some point, you need to go to some lengths to explain that
it's okay. That's why I can understand the desire to have sha1 easily
available (even though SHA-1 isn't much better, really, and the
difference doesn't actually matter for many application).

It's a bit like justifying that you don't need a virus scanner on your
non-Windows server or database server. 8-P

BTW, I'd like to see MD5/SHA-1 for BYTEA, not just TEXT, and with a
BYTEA return value. Does pgcrypto provide that?
--
Florian Weimer <fweimer(at)bfk(dot)de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Henrik 2008-01-21 15:57:45 Re: PG-8.2 backup strategies
Previous Message Tom Lane 2008-01-21 15:33:13 Re: [GENERAL] SHA1 on postgres 8.3

Browse pgsql-hackers by date

  From Date Subject
Next Message Gregory Stark 2008-01-21 15:58:53 Re: Anyone tried PG with Perl 5.10?
Previous Message Tom Lane 2008-01-21 15:33:13 Re: [GENERAL] SHA1 on postgres 8.3