Re: pgcrypto docs

Personally I've found the relative times instructive, merely outdated.
Perhaps using md5 as a baseline and evaluating estimates relative to that
baseline?

md5 = 1
sha1 = 4
crypt-des = 7
crypt-md5 = 1,000
crypt-bf/5 = 12,500
crypt-bf/6 = 25,000
crypt-bf/7 = 50,000
crypt-bf/8 = 100,000

This way, with the caveat that performance will vary from machine to
machine, there is a sense of the relative costs of using each algorithm,
which does not change as wildly with time. It lets people know how bad md5
and sha1 are for protecting passwords et al. It also demonstrates that
each turn of blowfish in this module effectively doubles the time needed to
crack and halves the number of hashes one can perform.

In short, I'd hate for the baby to be thrown out with the bathwater.

Cheers,

Miles Elam

On Tue, May 7, 2013 at 3:05 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Miles Elam <mileselam+postgresql(at)gmail(dot)com> writes:
> > Currently the docs show various stats on hashes per second and time
> needed
> > to find a particular key. Unfortunately since the times are based upon a
> > Pentium 4 @1.5GHz, I worry that many would take the advice on that page
> at
> > face value, e.g., "more than 100/sec is too much while less than 4/sec is
> > too few," with a P4 in mind.
>
> It seems like this table is guaranteed to be obsolete in a few years
> no matter what. Can we get rid of it entirely?
>
> regards, tom lane
>