Обсуждение: sha1 function
We are at the moment planning on passing some passwords that are plain texted in our DB to some encrypted form as now they will be used for processes that require better security measures. We started looking at md5() but found that it's easy to crack and one of the systems uses CHAP authentication, and so SHA1 hashing. So, two questions arise. 1) Is MD5's weakness true? 2) Is there any sha1() functions in PostgreSQL? -- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18 --------------------------------------------------------- Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador ---------------------------------------------------------
Martin Marques wrote: > We are at the moment planning on passing some passwords that are plain > texted in our DB to some encrypted form as now they will be used for > processes that require better security measures. > > We started looking at md5() but found that it's easy to crack and one of > the systems uses CHAP authentication, and so SHA1 hashing. > > So, two questions arise. > > 1) Is MD5's weakness true? Well (and I'm not a security expert so please check details), there are some issues with MD5: 1. There were some recent breakthroughs in generating multiple documents that match a given MD5 hash. This is less of a threat to passwords and more to document forgery. 2. It's practical nowadays to pre-calculate "rainbow tables" to cover all possible combinations of a short password (hence the use of a "salt" to extend the password length). 3. You can't get from the hash back to a password easily. So - it's no use for storing passwords for other systems, just for checking supplied passwords. What you need to ask is what you're protecting against. If someone has access to the database, have they also gained access to the process that uses these passwords, so allowing them to watch the unencrypted password be tested? > 2) Is there any sha1() functions in PostgreSQL? See contrib/pgcrypto in the source distribution or the equivalent in whatever package you use. -- Richard Huxton Archonet Ltd
On 01/10/2007, Martin Marques <martin@bugs.unl.edu.ar> wrote: > > 1) Is MD5's weakness true? Yes, but not really for using in a password functionality. You are very unlikely to repeat a password but in any case you will have the user ID to make it unique. > 2) Is there any sha1() functions in PostgreSQL? > It doesn't come with the default setup, but it's very simple to get. Take a look at this: http://snipr.com/pg_sha1