Re: How passwords can be crypted in postgres? - Mailing list pgsql-general

From Gordan Bobic
Subject Re: How passwords can be crypted in postgres?
Date
Msg-id 000f01c074ab$85f92060$8000000a@localdomain
Whole thread Raw
In response to Re: How passwords can be crypted in postgres?  (The Hermit Hacker <scrappy@hub.org>)
List pgsql-general
> >  [...]
> > Isn't this just as bad? If you store the encrypted password, that
doesn't
> > help you in the slightest in this case, because if you can breach the
list
> > of encrypted passwords, you still know what you need to send as the
> > "password" from the front end to let you into the database.
> >  [...]
>
> If you encrypt the input from the frontend as well and compare the
> encrypted strings it will not help you to look into the list of
> encrypted passwords ... or am I wrong?

What problem are you trying to defeat? If you are worried about "sniffing"
passwords from the traveling packets, then regardless of whether the
password field carries a plain text password or scrambled garbage, if you
know where the password field is, you can sniff it. If you are simply using
this for authentication, then it doesn't matter whether the password is
encrypted or not. You are still, effectively, transmitting a "password
string" that is used for authentication.

The security of passwords, encrypted or otherwise is purely reliant on the
security of your database server that stores the data.

Does that make sense?

Regards.

Gordan


pgsql-general by date:

Previous
From: Colin Taylor
Date:
Subject: System Tables Questions
Next
From: "Betsemes"
Date:
Subject: Hierarchical queries in pgsql