Mark Mielke wrote:
More two or even three different hashes with different collion-points
will strongly increase the security.
No it doesn't unless you are thinking about a security through
obscurity argument.
It is really the same argument on all your questions....
If I have a simple table now
ID serial
Username varchar
Password varchar
I currently save only md5(id || username || 'password')* into password,
if I had access to sha1 (for example) i would add another password
column so, having for example
ID serial
Username varchar
Password_md5 varchar
Password_sha1 varchar
No matter how you see it, I get more bits of hash to check against.
I would drop md5 totally and use sha1 and ripemd-160 if possible.. but
currently i use only md5 as it is the only available one.. Loading
pgcrypto is overkill for something as simple as hash-functions.
Svenne
* I prepend the id and the username to guard users with weak passwords
against known hashvalues (rainbow tables) should the box ever get
comprised ... if you are in doubt about the value of this, try google
for 40e94aa51dc5c0ccc5aad4e6aefdde2a and guess the secret password...
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
