On Wed, Feb 11, 2015 at 5:25 PM, Heikki Linnakangas <hlinnakan...@vmware.com> wrote: > On 02/11/2015 06:35 AM, Claudio Freire wrote: >> >> Usually because handshakes use a random salt on both sides. Not sure >> about pg's though, but in general collision strength is required but >> not slowness, they're not bruteforceable. > > > To be precise: collision resistance is usually not important for hashes used > in authentication handshakes. Not for our MD5 authentication method anyway; > otherwise we'd be screwed. What you need is resistance to pre-image attacks.
AFAIK, if I find a colliding string to the MD5 stored in pg_authid, I can specify that to libpq and get authenticated. Am I missing something? -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers