Search Postgresql Archives

Re: sha1 function

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Martin Marques wrote:
We are at the moment planning on passing some passwords that are plain texted in our DB to some encrypted form as now they will be used for processes that require better security measures.

We started looking at md5() but found that it's easy to crack and one of the systems uses CHAP authentication, and so SHA1 hashing.

So, two questions arise.

1) Is MD5's weakness true?

Well (and I'm not a security expert so please check details), there are some issues with MD5: 1. There were some recent breakthroughs in generating multiple documents that match a given MD5 hash. This is less of a threat to passwords and more to document forgery. 2. It's practical nowadays to pre-calculate "rainbow tables" to cover all possible combinations of a short password (hence the use of a "salt" to extend the password length). 3. You can't get from the hash back to a password easily. So - it's no use for storing passwords for other systems, just for checking supplied passwords.

What you need to ask is what you're protecting against. If someone has access to the database, have they also gained access to the process that uses these passwords, so allowing them to watch the unencrypted password be tested?

2) Is there any sha1() functions in PostgreSQL?

See contrib/pgcrypto in the source distribution or the equivalent in whatever package you use.

--
  Richard Huxton
  Archonet Ltd

---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux