[OWASP-Security101] postgres authentication and md5

Jim Manico jim.manico at owasp.org
Fri Nov 6 20:01:38 UTC 2015


I think it's a bad idea to use hashing and salting for password storage.

Cryptographers recommend using an *adaptive* hash such as PBKDF2, bcrypt 
or scrypt today.

  https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

MD5 is WAY past broken for password storage. Not because the hash is bad 
- but any hash is bad - because they are fast. You need to store 
passwords in a way that is slow.

Aloha,
jim

On 11/2/15 2:18 PM, Alex Scherbanov wrote:
> Hello. I’m not entirely sure if this list is a best place for my request, but it’s related to password hashing, so I guess it’s quite relevant.
>
> Could you take a look at my answer on stackoverflow?
> I’m going to use postgres in my project and I’d like to be sure I understand its security correctly.
>
>
> The question: is postgres password-based authentication secure?
> My answer:
>     http://security.stackexchange.com/a/104409/41687
>
>
> Thanks.
>
>     Alex Scherbanov
>
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org



More information about the Security101 mailing list