[BUGS] BUG #14797: It's not safe to use MD5

Поиск
Список
Период
Сортировка
От dmitriy.davydov@deiteriy.com
Тема [BUGS] BUG #14797: It's not safe to use MD5
Дата
Msg-id 20170905120106.25638.8076@wrigleys.postgresql.org
обсуждение исходный текст
Ответы Re: [BUGS] BUG #14797: It's not safe to use MD5  (hubert depesz lubaczewski <depesz@depesz.com>)
Список pgsql-bugs
Дерево обсуждения 
The following bug has been logged on the website:

Bug reference:      14797
Logged by:          Dmitriy Davydov
Email address:      dmitriy.davydov@deiteriy.com
PostgreSQL version: 9.6.5
Operating system:   CentOS
Description:

Hello.
Postgresql 9.6.5 , by default , database user passwords are stored as MD5
hashes (18.8  Encryption Options.
http://repo.postgrespro.ru/doc/pgsql/9.6.5/en/postgres-A4-fop.pdf). At the
moment, it's not safe to use MD5. 
Unfortunately, Rolename is used as the salt.
(src/backend/commands/user.c  
if (!pg_md5_encrypt(password, rolename, strlen(rolename),
encrypted_password)) )  
This is also unsafe.
Payment Card Industry (PCI) Data Security Standard requires the use of hash
functions described in FIPS 180-4, such as SHA-256 and SHA-512.
Please make changes in future versions.


--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

В списке pgsql-bugs по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: [BUGS] Can't read oprcode from remote pg_operator
Следующее
От: Thom Brown
Дата:
Сообщение: Re: [BUGS] Can't read oprcode from remote pg_operator