It feels like MD5 has accumulated enough problems that we need to start
looking for another way to store and pass passwords.  The MD5 problems

1)  MD5 makes users feel uneasy (though our usage is mostly safe) 

2)  The per-session salt sent to the client is only 32-bits, meaning
that it is possible to reply an observed MD5 hash in ~16k connection

3)  Using the user name for the MD5 storage salt allows the MD5 stored
hash to be used on a different cluster if the user used the same

4)  Using the user name for the MD5 storage salt causes the renaming of
a user to break the stored password.

For these reasons, it is probably time to start thinking about a
replacement that fixes these issues.  We would keep MD5 but recommend
a better option.

  Bruce Momjian  <>

  + Everyone has their own god. +

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to