On 6/5/07, Marko Kreen <markokr@gmail.com> wrote:
> On 6/5/07, Tino Wildenhain <tino@wildenhain.de> wrote:
> > Ranieri Mazili schrieb:
> > > Hello,
> > >
> > > I need to store users and passwords on a table and I want to store it
> > > encrypted, but I don't found documentation about it, how can I create a
> > > table with columns "user" and "password" with column "password"
> > > encrypted and how can I check if "user" and "password" are correct using
> > > a sql query ?
> >
> > Passwords are usually not encrypted but hashed instead. A common hash
> > function is available in postgres w/o any additional extension:
> >
> > md5()
> >
> > The rule is, if two hashes compare equal, then the original data must
> > be equal (yes, there are chances for collisions, but practically very
> > low. See also sha1 and friends in the pgcrypto contrib module)
>
> Both md5 and sha1 are bad for passwords, no salt and easy to
> bruteforce - due to the tiny amount of data in passwords.
>
> Proper ways is to use crypt() function from pgcrypto module.
> Due to historical accident is has bad name which hints at
> encryption, actually its only purpose is to hash passwords.
> Read more in pgcrypto doc.
>
> --
> marko
>
If you salt them yourself, there's no problem with md5 or sha1, and
they are arguably more secure than the old "crypt" call. Most modern
linuxes use md5 for password storage.
