On Wednesday 06 April 2005 00:34, Christopher Nehren wrote:
> On 2005-04-06, Cima scribbled these
>
> curious markings:
> > what id like to know is if there is a way of storing these
> > passwords as nonplain text or in an encrypted form. i know
> > mysql has an internal function/datatype that when
> > specified, it encrypts the values given. is there anything
> > like this in postgresql 8.0.1?
> > if not, any sugestions on how to store these passwords?
>
> What I do is receive the password from the user, take the
> SHA512 (yes, SHA512; I'm thinking ahead), and then either store
> it in the database (if they're changing their password or
> registering) or receive the already-stored value from the
> database and see if the two digests are equal. So long as you
> encrypt the password before passing it to the database,
> there'll only be one instance of the password being sent in
> cleartext: from the user's browser to your server. And you can
> fix that with SSL.
Making some kind of digest of a password is nice in that now all
digests of passwords are the same length. The problem with just
using the password by itself is that if two users somehow have
the same password, the digests will be the same as well. If you
combine the UserID with the password before taking the digest,
then even if two users have the same passwords, the digests will
be different. Which I believe is a better situation.
Gord
