On 09/06/11 03:07, Isak Hansen wrote: > While MD5 is considered broken for certain applications, it's still > perfectly valid for auth purposes. MD5 rainbow tables can be calculated quickly using services easily available to anyone (eg: EC2) and rainbow tables for passwords up to 8 chars have been successfully used in demo and real attacks several times in the last year. It's looking pretty shakey. That said, _properly_ _salted_ md5 is still likely to be strong enough for most people's likely attack scenarios for quite some time to come. It's only unsalted md5 that's dangerously stupid to use now - and it was never exactly a good idea. If you do your own user/password storage with a "users" table in the database or whatever, make sure you salt the passwords for encryption. -- Craig Ringer -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
