Re: field with Password - Mailing list pgsql-general

From Chris.Ellis@shropshire.gov.uk
Subject Re: field with Password
Date
Msg-id OFC951B8A8.DA173041-ON80257553.005B3A94-80257553.005BE628@shropshire.gov.uk
Whole thread Raw
In response to Re: field with Password  ("Raymond C. Rodgers" <sinful622@gmail.com>)
Responses Re: field with Password
List pgsql-general

You should always salt your password hashes.

Ie randomly generate a salt string, the store this and the password hash:

        insert into auth (user_id, salt, password) values (1,'blah',md5('blah' + 'test')) ;

then to check the password

        select true from auth where user_id = 1 and password = md5( salt + 'test') ;


I tend to set a trigger function to auto generate a salt and hash the password.



If you want to be really secure, use both a md5 and sha1 hash, snice it has been proved you can generate hash collisions so you could use:

        insert into auth (user_id, salt, password) values (1,'blah',md5('blah' || 'test') || sha1('blah' || 'test')) ;

then to check the password

        select true from auth where user_id = 1 and password = md5( salt || 'test')  || sha1( salt || 'test') ;

Chris Ellis




"Raymond C. Rodgers" <sinful622@gmail.com>
Sent by: pgsql-general-owner@postgresql.org

04/02/2009 14:34

To
Iñigo Barandiaran <ibarandiaran@vicomtech.org>
cc
pgsql-general@postgresql.org
Subject
Re: [GENERAL] field with Password





Iñigo Barandiaran wrote:
Thanks!


Ok. I've found
http://256.com/sources/md5/ library. So the idea is to define in the dataBase a Field of PlainText type. When I want to insert a new user, I define a password, convert to MD5 hash with the library and store it in the DataBase. Afterwards, any user check should get the content of the DataBase of do the inverse process with the library. Is it correct?

Thanks so much!!!!!!

Best,

Well, you can use the built-in md5 function for this purpose. For instance, you could insert a password into the table with a statement like:

insert into auth_data (user_id, password) values (1, md5('test'));

And compare the supplied password with something like:

select true from auth_data where user_id = 1 and password = md5('test');

You don't need to depend on an external library for this functionality; it's built right into Postgres. Personally, in my own apps I write in PHP, I  use a combination of sha1 and md5 to hash user passwords, without depending on Postgres to do the hashing, but the effect is basically the same.

Raymond

******************************************************************************

If you are not the intended recipient of this email please do not send it on

to others, open any attachments or file the email locally.

Please inform the sender of the error and then delete the original email.

For more information, please refer to http://www.shropshire.gov.uk/privacy.nsf

******************************************************************************

 

pgsql-general by date:

Previous
From: Iñigo Barandiaran
Date:
Subject: Re: field with Password
Next
From: Guy Rouillier
Date:
Subject: Re: Pet Peeves?