Re: reducing our reliance on MD5

On Wed, Feb 11, 2015 at 5:25 PM, Heikki Linnakangas
<hlinnakangas@vmware.com> wrote:
> On 02/11/2015 06:35 AM, Claudio Freire wrote:
>>
>> Usually because handshakes use a random salt on both sides. Not sure
>> about pg's though, but in general collision strength is required but
>> not slowness, they're not bruteforceable.
>
>
> To be precise: collision resistance is usually not important for hashes used
> in authentication handshakes. Not for our MD5 authentication method anyway;
> otherwise we'd be screwed. What you need is resistance to pre-image attacks.

AFAIK, if I find a colliding string to the MD5 stored in pg_authid, I
can specify that to libpq and get authenticated.

Am I missing something?