On Wed, Dec 28, 2011 at 08:25:54AM -0600, ktm@xxxxxxxx wrote: > > >If you have a need for stronger hashing functions you might want > > >to contact one of the consultants who does contract work on > > >PostgreSQL development and find out what'd be involved in funding > > >the development of the feature. Think about why you need it first, > > >though; what threat(s) are you trying to protect from? > > > > The reasoning is that if your Database content get lost your > > passwords are in danger to be decrypted todays with md5 hash and > > most of the time passwords are reused at other places. With stronger > > hashes at least the password itself would be somewhat safe. But as > > said in many environment the application does not use database users > > anyway, but does its own user management with hopefully stronger > > encryption of the passwords. > > > > Thanks > > > > Andreas > > > Exactly. You need to use GSSAPI or something else to secure it. Then > the passwords are not available to be decrypted in the database and > you can use much more extensive encryption for them. The limitations of MD5 do not apply to the way we use MD5 to store passwords in Postgres; see: http://archives.postgresql.org/pgsql-hackers/2008-01/msg00846.php -- Bruce Momjian <bruce@xxxxxxxxxx> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
