[OWASP-Security101] postgres authentication and md5
jim.manico at owasp.org
Fri Nov 6 20:01:38 UTC 2015
I think it's a bad idea to use hashing and salting for password storage.
Cryptographers recommend using an *adaptive* hash such as PBKDF2, bcrypt
or scrypt today.
MD5 is WAY past broken for password storage. Not because the hash is bad
- but any hash is bad - because they are fast. You need to store
passwords in a way that is slow.
On 11/2/15 2:18 PM, Alex Scherbanov wrote:
> Hello. I’m not entirely sure if this list is a best place for my request, but it’s related to password hashing, so I guess it’s quite relevant.
> Could you take a look at my answer on stackoverflow?
> I’m going to use postgres in my project and I’d like to be sure I understand its security correctly.
> The question: is postgres password-based authentication secure?
> My answer:
> Alex Scherbanov
> Security101 mailing list
> Security101 at lists.owasp.org
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
Global Board Member
More information about the Security101