Thread: Question on crypt password
hi, i want to authenticate web users from postgrsql for which i created a table having,among others, username & password... is there any data types where password can be stored encrypted ?.. at present am vsing varchar(16) but i c one (administrator) can read the password. i didnt find any data type specifying encrypted type !... thanking in advance A.H
On Fri, 24 May 2002, Arindam Haldar wrote: > i want to authenticate web users from postgrsql for which i created a > table having,among others, username & password... is there any data > types where password can be stored encrypted ?.. at present am vsing > varchar(16) but i c one (administrator) can read the password. i didnt > find any data type specifying encrypted type !... mod_auth_pgsql for Apache has an option to read encrypted passwords. You can choose betwen plain, md5 an crypt. But it doesn't bother how you inserted it into the table. Seems that you have to encrypt it with your favourite tool before you insert it. In the table it's just a text/varchar type AFAIK. -- PGP/GPG Key-ID: http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1
On Fri, 24 May 2002 12:45:00 +0530 "Arindam Haldar" <arindamhaldar@hotpop.com> wrote: > hi, > i want to authenticate web users from postgrsql for which i created a > table having,among others, username & password... is there any data > types where password can be stored encrypted ?.. at present am vsing > varchar(16) but i c one (administrator) can read the password. i didnt > find any data type specifying encrypted type !... Use contrib/pgcrypto, store the hashed version of the password (say, using SHA1). When you want to check if the correct password is used, hash the string the user entered and compare it to the stored version. Cheers, Neil -- Neil Conway <neilconway@rogers.com> PGP Key ID: DB3C29FC
Neil Conway sez: } On Fri, 24 May 2002 12:45:00 +0530 } "Arindam Haldar" <arindamhaldar@hotpop.com> wrote: } > hi, } > i want to authenticate web users from postgrsql for which i created a } > table having,among others, username & password... is there any data } > types where password can be stored encrypted ?.. at present am vsing } > varchar(16) but i c one (administrator) can read the password. i didnt } > find any data type specifying encrypted type !... } } Use contrib/pgcrypto, store the hashed version of the password (say, } using SHA1). When you want to check if the correct password is used, } hash the string the user entered and compare it to the stored version. Where is the documentation on this? Is it like what I wound up doing (see below)? Since I was coming from MySQL, I wanted the PASSWORD() function it has builtin and I wound up writing it as a C function: CREATE FUNCTION PASSWORD (text) RETURNS text AS '/home/gss/src/crypt.so' LANGUAGE C WITH (isstrict); I can attach the C source if anyone is interested. } Cheers, } Neil --Greg
On Fri, 24 May 2002 15:02:08 -0400 "Gregory Seidman" <gss+pg@cs.brown.edu> wrote: > Neil Conway sez: > } Use contrib/pgcrypto, store the hashed version of the password (say, > } using SHA1). When you want to check if the correct password is used, > } hash the string the user entered and compare it to the stored version. > > Where is the documentation on this? In contrib/pgcrypto/README.pgcrypto, which is part of the PostgreSQL source tree. Perhaps it should be better documented -- it's quite a neat package. > Is it like what I wound up doing (see below)? Similar, but a lot more powerful. Cheers, Neil -- Neil Conway <neilconway@rogers.com> PGP Key ID: DB3C29FC
On Fri, 2002-05-24 at 22:02, Gregory Seidman wrote: > Since I was coming from MySQL, I wanted the PASSWORD() function it has > builtin and I wound up writing it as a C function: > I can attach the C source if anyone is interested. Hi. I'd be interested in that. Does it duplicate MySQL's PASSWORD() exactly? I need to import hashes from MySQL to PostgreSQL. Timo