Re: pgcrypto docs
| От | Miles Elam |
|---|---|
| Тема | Re: pgcrypto docs |
| Дата | |
| Msg-id | CAPVvHdPkcmpFRwVz=tUWEdc0782nDjR1wSM8v-2Eojpw0+prvA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: pgcrypto docs (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: pgcrypto docs
|
| Список | pgsql-docs |
Personally I've found the relative times instructive, merely outdated. Perhaps using md5 as a baseline and evaluating estimates relative to that baseline?
md5 = 1crypt-md5 = 1,000
crypt-bf/5 = 12,500
crypt-bf/6 = 25,000
crypt-bf/7 = 50,000
crypt-bf/8 = 100,000
crypt-bf/6 = 25,000
crypt-bf/7 = 50,000
crypt-bf/8 = 100,000
This way, with the caveat that performance will vary from machine to machine, there is a sense of the relative costs of using each algorithm, which does not change as wildly with time. It lets people know how bad md5 and sha1 are for protecting passwords et al. It also demonstrates that each turn of blowfish in this module effectively doubles the time needed to crack and halves the number of hashes one can perform.
In short, I'd hate for the baby to be thrown out with the bathwater.
Cheers,
Miles Elam
On Tue, May 7, 2013 at 3:05 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Miles Elam <mileselam+postgresql@gmail.com> writes:It seems like this table is guaranteed to be obsolete in a few years
> Currently the docs show various stats on hashes per second and time needed
> to find a particular key. Unfortunately since the times are based upon a
> Pentium 4 @1.5GHz, I worry that many would take the advice on that page at
> face value, e.g., "more than 100/sec is too much while less than 4/sec is
> too few," with a P4 in mind.
no matter what. Can we get rid of it entirely?
regards, tom lane
В списке pgsql-docs по дате отправления: