Bruce, all, * Bruce Momjian (br...@momjian.us) wrote: > It feels like MD5 has accumulated enough problems that we need to start > looking for another way to store and pass passwords. The MD5 problems > are: > > 1) MD5 makes users feel uneasy (though our usage is mostly safe) > > 2) The per-session salt sent to the client is only 32-bits, meaning > that it is possible to reply an observed MD5 hash in ~16k connection > attempts. > > 3) Using the user name for the MD5 storage salt allows the MD5 stored > hash to be used on a different cluster if the user used the same > password. > > 4) Using the user name for the MD5 storage salt causes the renaming of > a user to break the stored password. > > For these reasons, it is probably time to start thinking about a > replacement that fixes these issues. We would keep MD5 but recommend > a better option.
For more background, I'd suggest taking a look at this recent thread:
CA+TgmoaWdkNBT4mNZ+wf=fgjd7av9bq7ntsvcha7yeox0ly...@mail.gmail.com
Thanks!
Stephen
signature.asc
Description: Digital signature
