Re: The Axe list

Magnus Hagander <magnus@hagander.net> writes:

> D'Arcy J.M. Cain wrote:
>> On Sun, 12 Oct 2008 12:57:58 +0300
>> "Marko Kreen" <markokr@gmail.com> wrote:
>>> On 10/11/08, D'Arcy J.M. Cain <darcy@druid.net> wrote:
>>>>  +   if (!random_initialized)
>>>>  +   {
>>>>  +       srandom((unsigned int) time(NULL));
>>>>  +       random_initialized = true;
>>>>  +   }
>>> This is bad idea, postgres already does srandom()
>> 
>> Is that new?  I added that to my local version at one time because I
>> was getting the same salt every time I ran it.
>
> You really should not be using the standard random() function to generat
> salts... You need a more secure one.

Do salts have to be secure at all? I thought they just had to be widely
distributed so that you couldn't use a dictionary attack. The traditional way
to pick crypt salts for /etc/passwd was to use the first two letters of the
username after all.

--  Gregory Stark EnterpriseDB          http://www.enterprisedb.com Get trained by Bruce Momjian - ask me about
EnterpriseDB'sPostgreSQL training!