Magnus Hagander <[EMAIL PROTECTED]> writes:
> D'Arcy J.M. Cain wrote:
>> On Sun, 12 Oct 2008 12:57:58 +0300
>> "Marko Kreen" <[EMAIL PROTECTED]> wrote:
>>> On 10/11/08, D'Arcy J.M. Cain <[EMAIL PROTECTED]> wrote:
>>>> + if (!random_initialized)
>>>> + {
>>>> + srandom((unsigned int) time(NULL));
>>>> + random_initialized = true;
>>>> + }
>>> This is bad idea, postgres already does srandom()
>>
>> Is that new? I added that to my local version at one time because I
>> was getting the same salt every time I ran it.
>
> You really should not be using the standard random() function to generat
> salts... You need a more secure one.
Do salts have to be secure at all? I thought they just had to be widely
distributed so that you couldn't use a dictionary attack. The traditional way
to pick crypt salts for /etc/passwd was to use the first two letters of the
username after all.
--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Get trained by Bruce Momjian - ask me about EnterpriseDB's PostgreSQL
training!
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
