Greetings, * Bruce Momjian (br...@momjian.us) wrote: > On Tue, Mar 1, 2022 at 08:31:19AM -0500, Stephen Frost wrote: > > > The last time I played with this area is the recent error handling > > > improvement with cryptohashes but MD5 has actually helped here in > > > detecting the problem as a patched OpenSSL would complain if trying to > > > use MD5 as hash function when FIPS is enabled. > > > > Having to continue to deal with md5 as an algorithm when it's known to > > be notably less secure and so much so that organizations essentially ban > > its use for exactly what we're using it for, in fact, another reason to > > Really? I thought it was publicly-visible MD5 hashes that were the > biggest problem. Our 32-bit salt during the connection is a problem, of > course.
Neither are good. Not sure that we really need to spend a lot of effort trying to figure out which issue is the biggest problem. > > remove it, not a reason to keep it. Better code coverage testing of > > error paths is the answer to making sure that our error handling behaves > > properly. > > What is the logic to removing md5 but keeping 'password'? I don't think we should keep 'password'. Thanks, Stephen
signature.asc
Description: PGP signature