On Mon, Aug 20, 2012 at 07:08:12PM -0400, Tom Lane wrote:
> The only reason I can see for pushing more crypto into core is
> if we needed to stop using MD5 for the core password authentication
> functionality. While that might come to pass eventually, I am aware of
> no evidence whatever that SHAn, per se, is an improvement over MD5 for
> password auth purposes. Moreover, as Josh just mentioned, anybody who
> thinks it might be insufficiently secure for their purposes has got
> plenty of alternatives available today (SSL certificates, PAM backed
> by whatever-you-want, etc).
>
> TBH, I think if we do anything at all about this in the near future,
> it'll be window dressing to shut up the people who heard once that MD5
> was insecure and know nothing about it beyond that --- but if Postgres
> uses MD5 for passwords, it must be insecure. So I tend to agree with
> Andrew that we should wait till the NIST competition dust settles; but
> what I'll be looking for afterwards is which algorithm has the most
> street cred with the average slashdotter.
>
> Also, as I mentioned upthread, we need to do more than just drop in
> a new hashing algorithm. MD5 is far from being the weakest link
> in what we're doing today.
If anyone believe Tom is inaccurate in "MD5 is far from being the
weakest link", see this 2004 email from Greg Stark explaining the odds
of salt reuse and password packet replay:
http://archives.postgresql.org/pgsql-hackers/2004-08/msg01540.php
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ It's impossible for everything to be true. +