Magnus Hagander <magnus@hagander.net> writes:
> D'Arcy J.M. Cain wrote:
>> On Sun, 12 Oct 2008 12:57:58 +0300
>> "Marko Kreen" <markokr@gmail.com> wrote:
>>> On 10/11/08, D'Arcy J.M. Cain <darcy@druid.net> wrote:
>>>> + if (!random_initialized)
>>>> + {
>>>> + srandom((unsigned int) time(NULL));
>>>> + random_initialized = true;
>>>> + }
>>> This is bad idea, postgres already does srandom()
>>
>> Is that new? I added that to my local version at one time because I
>> was getting the same salt every time I ran it.
>
> You really should not be using the standard random() function to generat
> salts... You need a more secure one.
Do salts have to be secure at all? I thought they just had to be widely
distributed so that you couldn't use a dictionary attack. The traditional way
to pick crypt salts for /etc/passwd was to use the first two letters of the
username after all.
-- Gregory Stark EnterpriseDB http://www.enterprisedb.com Get trained by Bruce Momjian - ask me about
EnterpriseDB'sPostgreSQL training!