Re: MD5 in pg and php - Mailing list pgsql-php

From Bruno Wolff III
Subject Re: MD5 in pg and php
Date
Msg-id 20040429101129.GC26489@wolff.to
Whole thread Raw
In response to MD5 in pg and php  (Joolz <joolz@xs4all.nl>)
Responses securing PHP/Postgresql (was: MD5 in pg and php)
List pgsql-php
On Thu, Apr 29, 2004 at 09:07:16 +0200,
  Joolz <joolz@xs4all.nl> wrote:
>
> I want to store passwords in a pg db, MD5 seems like a good way to
> enhance security (no more plaintext passwords over the line etc.) I
> had a look at MD5, in PHP 4.3.4 there is a function md5() which seems
> to work nicely:

This may not help as much as you think. If you are using an ssl connection,
the passwords won't be sent in the clear. If you aren't using an ssl
connection the hashes will be in clear. I don't believe the postgres
uses a random challenge so that you won't really raise the bar much.
Plus if snooping passwords is a threat, most likely snooping data will
be as well (though not always) and forcing connections to use ssl may be
your best bet. I believe as typically used this is vulnerable to man in
the middle attacks, but these are going to be significantly harder to do than
simple snooping.

pgsql-php by date:

Previous
From: Joolz
Date:
Subject: Re: MD5 in pg and php
Next
From: Ludwig Lim
Date:
Subject: Question regarding session