Postgres Pro
Downloads
Home   >   mailing lists

Re: password management - Mailing list pgsql-general

From Craig Ringer
Subject Re: password management
Date
Msg-id 4BE3908E.7010906@postnewspapers.com.au
Whole thread Raw
In response to password management  (akp geek <akpgeek@gmail.com>)
Responses Re: password management  (Craig Ringer <craig@postnewspapers.com.au>)
List pgsql-general
Tree view 
On 7/05/2010 2:31 AM, akp geek wrote:
> Dear all -
>
>                 I am writing function to handle the passwords. Currently
> the crypt is being used to store the password in the database. what I
> need to do is, when the user wants to change the password, I need to
> check if that password is not being used before up to 5 times, If not
> then then records should be inserted to the database.
>
>                The problem where i am running into, when I capture the
> password that user entered, I can't compare to the one in database ,
> because each time the function crypt gives different one. Is there any
> way that I can achieve this?

Extract the salt from each stored password and re-encrypt the new
password with the same salt when comparing it to the old one.

eg:


craig=> create table password_history ( password text not null );
CREATE TABLE
craig=> insert into password_history(password) values ( crypt('fred',
gen_salt('md5')) );
INSERT 0 1
craig=> insert into password_history(password) values ( crypt('bob',
gen_salt('md5')) );
INSERT 0 1
craig=> insert into password_history(password) values (
crypt('smeghead', gen_salt('md5')) );
INSERT 0 1
craig=> create or replace function extract_salt(text) returns text as $$
craig$> select (regexp_matches($1, E'^(\\$[^\\$]+\\$[^\\$]+)\\$'))[1];
craig$> $$ language sql immutable;
CREATE FUNCTION
craig=> select extract_salt(password), password from password_history;
  extract_salt |              password
--------------+------------------------------------
  $1$p3AMpr5s  | $1$p3AMpr5s$BtNTSXwIJbHrdnJEZ4NFg.
  $1$FKySMIXg  | $1$FKySMIXg$xFM5osjqclTuaJIUiGvU3.
  $1$MUwd2dGt  | $1$MUwd2dGt$w06IEIvJ1lROXw7WGb3dw.
(3 rows)

craig=> select exists (select 1 from password_history where
crypt('fred', extract_salt(password)) = password);
  ?column?
----------
  t
(1 row)

craig=> select exists (select 1 from password_history where crypt('bob',
extract_salt(password)) = password);
  ?column?
----------
  t
(1 row)

craig=> select exists (select 1 from password_history where
crypt('nosuch', extract_salt(password)) = password);
  ?column?
----------
  f
(1 row)



Make sure to generate a new salt value if you accept the password and
want to store it, though.


( Perhaps pgcrypto needs a function to extract the salt? )


--
Craig Ringer

pgsql-general by date:

Previous
From: Kenichiro Tanaka
Date:
Subject: Re: How to deal with NULL values on dynamic queries?
Next
From: Craig Ringer
Date:
Subject: Re: password management