Re: [GENERAL] SHA1 on postgres 8.3

sanjay sharma wrote:
> Hi Tom,
>  
> md5 is not being recommended anywhere because it contains hash 
> collision. Therefore either it should be replaced with SHA1 or any 
> other good hash algorithm or taken out of core completely. md5 in core 
> is worthless now.I am not using it in my application. I am using SHA1 
> in client/web tier for password hashing.
>  
> Would replacing md5 with SHA1 in core involve much work?

sanjay - please do not top-answer, especially when others have put their 
answers below.

MD5 is not broken for purposes that would require a pre-image attack, 
AIUI. That means there is a whole series of uses for which it is still 
quite OK, including password hashing.

That said, there might well be a reason for including a 
collision-resistant hash function in core without including the whole of 
pg_crypto.

cheers

andrew