Greetings,
* Bruce Momjian (bruce@momjian.us) wrote:
> On Tue, Mar 1, 2022 at 08:31:19AM -0500, Stephen Frost wrote:
> > > The last time I played with this area is the recent error handling
> > > improvement with cryptohashes but MD5 has actually helped here in
> > > detecting the problem as a patched OpenSSL would complain if trying to
> > > use MD5 as hash function when FIPS is enabled.
> >
> > Having to continue to deal with md5 as an algorithm when it's known to
> > be notably less secure and so much so that organizations essentially ban
> > its use for exactly what we're using it for, in fact, another reason to
>
> Really? I thought it was publicly-visible MD5 hashes that were the
> biggest problem. Our 32-bit salt during the connection is a problem, of
> course.
Neither are good. Not sure that we really need to spend a lot of effort
trying to figure out which issue is the biggest problem.
> > remove it, not a reason to keep it. Better code coverage testing of
> > error paths is the answer to making sure that our error handling behaves
> > properly.
>
> What is the logic to removing md5 but keeping 'password'?
I don't think we should keep 'password'.
Thanks,
Stephen