Re: sha1 function
| От | Richard Huxton |
|---|---|
| Тема | Re: sha1 function |
| Дата | |
| Msg-id | 470105B1.2020207@archonet.com обсуждение исходный текст |
| Ответ на | sha1 function (Martin Marques <martin@bugs.unl.edu.ar>) |
| Список | pgsql-general |
Martin Marques wrote: > We are at the moment planning on passing some passwords that are plain > texted in our DB to some encrypted form as now they will be used for > processes that require better security measures. > > We started looking at md5() but found that it's easy to crack and one of > the systems uses CHAP authentication, and so SHA1 hashing. > > So, two questions arise. > > 1) Is MD5's weakness true? Well (and I'm not a security expert so please check details), there are some issues with MD5: 1. There were some recent breakthroughs in generating multiple documents that match a given MD5 hash. This is less of a threat to passwords and more to document forgery. 2. It's practical nowadays to pre-calculate "rainbow tables" to cover all possible combinations of a short password (hence the use of a "salt" to extend the password length). 3. You can't get from the hash back to a password easily. So - it's no use for storing passwords for other systems, just for checking supplied passwords. What you need to ask is what you're protecting against. If someone has access to the database, have they also gained access to the process that uses these passwords, so allowing them to watch the unencrypted password be tested? > 2) Is there any sha1() functions in PostgreSQL? See contrib/pgcrypto in the source distribution or the equivalent in whatever package you use. -- Richard Huxton Archonet Ltd
В списке pgsql-general по дате отправления: