On 6/5/07, Brian Mathis <[EMAIL PROTECTED]> wrote:
On 6/5/07, Marko Kreen <[EMAIL PROTECTED]> wrote:
> Both md5 and sha1 are bad for passwords, no salt and easy to
> bruteforce - due to the tiny amount of data in passwords.
>
> Proper ways is to use crypt() function from pgcrypto module.
> Due to historical accident is has bad name which hints at
> encryption, actually its only purpose is to hash passwords.
> Read more in pgcrypto doc.
If you salt them yourself, there's no problem with md5 or sha1, and
they are arguably more secure than the old "crypt" call. Most modern
linuxes use md5 for password storage.
No, both md5 and sha1 are actually easier to bruteforce than
the old DES-based crypt. Ofcourse that does not mean that
old DES-crypt is good idea. Pgcrypto's crypt() supports bit
more modern md5crypt and bf-crypt algoriths which give much
higher security margin. It can be argued that bf-crypt is the
"state-of-the-art" algorithm for password hashing.
--
marko
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
