| From: | Gregory Stark <stark(at)enterprisedb(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>, Marko Kreen <markokr(at)gmail(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: The Axe list |
| Date: | 2008-10-12 17:37:03 |
| Message-ID: | 87abd9yatc.fsf@oxford.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> D'Arcy J.M. Cain wrote:
>> On Sun, 12 Oct 2008 12:57:58 +0300
>> "Marko Kreen" <markokr(at)gmail(dot)com> wrote:
>>> On 10/11/08, D'Arcy J.M. Cain <darcy(at)druid(dot)net> wrote:
>>>> + if (!random_initialized)
>>>> + {
>>>> + srandom((unsigned int) time(NULL));
>>>> + random_initialized = true;
>>>> + }
>>> This is bad idea, postgres already does srandom()
>>
>> Is that new? I added that to my local version at one time because I
>> was getting the same salt every time I ran it.
>
> You really should not be using the standard random() function to generat
> salts... You need a more secure one.
Do salts have to be secure at all? I thought they just had to be widely
distributed so that you couldn't use a dictionary attack. The traditional way
to pick crypt salts for /etc/passwd was to use the first two letters of the
username after all.
--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Get trained by Bruce Momjian - ask me about EnterpriseDB's PostgreSQL training!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2008-10-12 17:47:28 | Re: The Axe list |
| Previous Message | Andres Freund | 2008-10-12 17:31:00 | Re: Updates of SE-PostgreSQL 8.4devel patches - Patent problems? |