Score:0

pgcrypto and password hashing

tk flag

I'm thinking about my choices regarding how to store passwords in Postgres.

One such option is to use pgcrypto. Reading their docs, I see that their crypt and gen_salt functions do not use sha256 but instead use custom version of the cryptographically broken md5. Why would Postgres developers use such a hashing algorithm for their password storing module given that it's not secure?

I suppose I should use, instead of the broken (at least in my eyes) pgcrypto module, the built in binary function sha256 together with a random salt.

Score:0
cn flag

Use a good password hash that slows down guesses. If you prefer to keep pgcrypto its best crypt() is currently bf, aka bcrypt based on Blowfish.

Or select an alternative that is known to cryptographers and has well tested implementations. Note this could be in application code. crypt() as a DBMS function is convenient but not required.

Feel free to crack your own password hashes, to show how many guesses per second is practical.

Outdated md5 and des algorithms exist because PostgreSQL is old. Password hashes still exist in tables somewhere, not updated yet because their users have not logged in for many years.

I suppose I should use, instead of the broken (at least in my eyes) pgcrypto module, the built in binary function sha256 together with a random salt.

Do not roll your own password hash algorithm. sha256 is a fast hash, the opposite of what a password needs.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.