Magnus Hagander <[EMAIL PROTECTED]> writes: > D'Arcy J.M. Cain wrote: >> On Sun, 12 Oct 2008 12:57:58 +0300 >> "Marko Kreen" <[EMAIL PROTECTED]> wrote: >>> On 10/11/08, D'Arcy J.M. Cain <[EMAIL PROTECTED]> wrote: >>>> + if (!random_initialized) >>>> + { >>>> + srandom((unsigned int) time(NULL)); >>>> + random_initialized = true; >>>> + } >>> This is bad idea, postgres already does srandom() >> >> Is that new? I added that to my local version at one time because I >> was getting the same salt every time I ran it. > > You really should not be using the standard random() function to generat > salts... You need a more secure one.
Do salts have to be secure at all? I thought they just had to be widely distributed so that you couldn't use a dictionary attack. The traditional way to pick crypt salts for /etc/passwd was to use the first two letters of the username after all. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Get trained by Bruce Momjian - ask me about EnterpriseDB's PostgreSQL training! -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers