Re: field with Password - Mailing list pgsql-general
| From | Chris.Ellis@shropshire.gov.uk |
|---|---|
| Subject | Re: field with Password |
| Date | |
| Msg-id | OFC951B8A8.DA173041-ON80257553.005B3A94-80257553.005BE628@shropshire.gov.uk Whole thread Raw |
| In response to | Re: field with Password ("Raymond C. Rodgers" <sinful622@gmail.com>) |
| Responses |
Re: field with Password
|
| List | pgsql-general |
You should always salt your password hashes.
Ie randomly generate a salt string, the store this and the password hash:
insert into auth (user_id, salt, password) values (1,'blah',md5('blah' + 'test')) ;
then to check the password
select true from auth where user_id = 1 and password = md5( salt + 'test') ;
I tend to set a trigger function to auto generate a salt and hash the password.
If you want to be really secure, use both a md5 and sha1 hash, snice it has been proved you can generate hash collisions so you could use:
insert into auth (user_id, salt, password) values (1,'blah',md5('blah' || 'test') || sha1('blah' || 'test')) ;
then to check the password
select true from auth where user_id = 1 and password = md5( salt || 'test') || sha1( salt || 'test') ;
Chris Ellis
| "Raymond C. Rodgers" <sinful622@gmail.com> Sent by: pgsql-general-owner@postgresql.org 04/02/2009 14:34 |
|
Iñigo Barandiaran wrote:
Thanks!
Ok. I've found http://256.com/sources/md5/ library. So the idea is to define in the dataBase a Field of PlainText type. When I want to insert a new user, I define a password, convert to MD5 hash with the library and store it in the DataBase. Afterwards, any user check should get the content of the DataBase of do the inverse process with the library. Is it correct?
Thanks so much!!!!!!
Best,
Well, you can use the built-in md5 function for this purpose. For instance, you could insert a password into the table with a statement like:
insert into auth_data (user_id, password) values (1, md5('test'));
And compare the supplied password with something like:
select true from auth_data where user_id = 1 and password = md5('test');
You don't need to depend on an external library for this functionality; it's built right into Postgres. Personally, in my own apps I write in PHP, I use a combination of sha1 and md5 to hash user passwords, without depending on Postgres to do the hashing, but the effect is basically the same.
Raymond
******************************************************************************
If you are not the intended recipient of this email please do not send it on
to others, open any attachments or file the email locally.
Please inform the sender of the error and then delete the original email.
For more information, please refer to http://www.shropshire.gov.uk/privacy.nsf
******************************************************************************
pgsql-general by date: