Re: [GENERAL] SHA1 on postgres 8.3

Svenne Krap wrote:
> Mark Mielke wrote:
>> This presumes that better hashes truly exist. It is basic math to 
>> show that all hashes will include collisions. Ignoring the 
>> possibility that one hash has theoretical better distribution for 
>> real documents, the real "benefit" of SHA-1 over MD5, is that it has 
>> more bits. The "ultimate" solution here, is to store the original 
>> using the "full copy" hash technique, with 0 chance of collision. 
>> This extreme defeats the purpose of a hash to start with.
>>
>> Why does PostgreSQL need something better than md5 as part of core? 
>> Bragging rights?
> Having more than one hash algorithm significantly decreases the risk 
> of (common) collisions.

No it doesn't. More bits reduces risk of collisions. Additional 
algorithms just muddy the waters.

> As a non-developer (who does track most messages on the list anyways), 
> I surely find the SHA* functions will add significantly value and they 
> should be easy to install (well-defined functions) with no 
> maintainance afterwards.
> Hashes are an absolute minimum for keeping passwords stored somehat 
> safely in a database.

It has yet to be proven that MD5 is insufficient for this purpose. 
"Significant value" being what?

> More two or even three different hashes with different collion-points 
> will strongly increase the security.

No it doesn't unless you are thinking about a security through obscurity 
argument.

Cheers,
mark

-- 
Mark Mielke <mark@mielke.cc>