Re: Encrypted column - Mailing list pgsql-general

From Tino Wildenhain
Subject Re: Encrypted column
Date
Msg-id 46658C49.3010004@wildenhain.de
Whole thread Raw
In response to Re: Encrypted column  ("Marko Kreen" <markokr@gmail.com>)
List pgsql-general
Marko Kreen schrieb:
> On 6/5/07, Tino Wildenhain <tino@wildenhain.de> wrote:
>> Ranieri Mazili schrieb:
>> > Hello,
>> >
>> > I need to store users and passwords on a table and I want to store it
>> > encrypted, but I don't found documentation about it, how can I create a
>> > table with columns "user" and "password" with column "password"
>> > encrypted and how can I check if "user" and "password" are correct
>> using
>> > a sql query ?
>>
>> Passwords are usually not encrypted but hashed instead. A common hash
>> function is available in postgres w/o any additional extension:
>>
>> md5()
>>
>> The rule is, if two hashes compare equal, then the original data must
>> be equal (yes, there are chances for collisions, but practically very
>> low. See also sha1 and friends in the pgcrypto contrib module)
>
> Both md5 and sha1 are bad for passwords, no salt and easy to
> bruteforce - due to the tiny amount of data in passwords.
>
Err. I did not mention salt but nobody prevents you from using
a salt with md5 and sha.

Regards
Tino

pgsql-general by date:

Previous
From: "Ian Harding"
Date:
Subject: Re: $libdir
Next
From: Erik Jones
Date:
Subject: Re: Large Database \d: ERROR: cache lookup failed for relation ...