Home > mailing lists

Re: ramblings about password exposure (WAS: field with Password) - Mailing list pgsql-general

From	Sam Mason
Subject	Re: ramblings about password exposure (WAS: field with Password)
Date	February 4, 2009 14:22:56
Msg-id	20090204152247.GU3008@frubble.xen.chris-lamb.co.uk Whole thread Raw
In response to	Re: field with Password ("Raymond C. Rodgers" <sinful622@gmail.com>)
Responses	Re: ramblings about password exposure (WAS: field with Password)
List	pgsql-general

Tree view

On Wed, Feb 04, 2009 at 09:34:56AM -0500, Raymond C. Rodgers wrote:
> You don't need to depend on an external library for this functionality;
> it's built right into Postgres. Personally, in my own apps I write in
> PHP, I  use a combination of sha1 and md5 to hash user passwords,
> without depending on Postgres to do the hashing, but the effect is
> basically the same.

Doing the hashing outside PG would reduce the chance of the password
being exposed, either accidentally by, say, turning on statement
logging, or maliciously.  A general rule with passwords is to throw away
any copy of a plain text password as quickly as possible, sending the
password over to another process would go against this.

--
  Sam  http://samason.me.uk/

pgsql-general by date:

From: Iñigo Barandiaran
Date: 04 February 2009, 13:58:39
Subject: Re: field with Password

From: "A.M."
Date: 04 February 2009, 15:26:19
Subject: Re: Pet Peeves?

Re: ramblings about password exposure (WAS: field with Password) - Mailing list pgsql-general

Previous

Next