On 08/15/2012 11:22 AM, Joe Conway wrote:
On 08/15/2012 06:48 AM, Tom Lane wrote:
On Wed, Aug 15, 2012 at 6:11 AM, Bruce Momjian <br...@momjian.us> wrote:
Is there a TODO here?
If anybody's concerned about the security of our password storage,
they'd be much better off working on improving the length and randomness
of the salt string than replacing the md5 hash per se.
Or change to an md5 HMAC rather than straight md5 with salt. Last I
checked (which admittedly was a while ago) there were still no known
cryptographic weaknesses associated with an HMAC based on md5.
Possibly. I still think the right time to revisit this whole area will
be when the NIST Hash Function competition ends supposedly later this
year. See <http://csrc.nist.gov/groups/ST/hash/timeline.html>. At that
time we should probably consider moving our password handling to use the
new standard function.
cheers
andrew
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers