sanjay sharma wrote:
Hi Tom,
md5 is not being recommended anywhere because it contains hash collision. Therefore either it should be replaced with SHA1 or any other good hash algorithm or taken out of core completely. md5 in core is worthless now.I am not using it in my application. I am using SHA1 in client/web tier for password hashing. Would replacing md5 with SHA1 in core involve much work?

sanjay - please do not top-answer, especially when others have put their answers below.

MD5 is not broken for purposes that would require a pre-image attack, AIUI. That means there is a whole series of uses for which it is still quite OK, including password hashing.

That said, there might well be a reason for including a collision-resistant hash function in core without including the whole of pg_crypto.

cheers

andrew


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to