Thread: MD5(MD5(pw)) OK?

MD5(MD5(pw)) OK?

From
Joachim Zobel
Date:
Hi.

I am thinking about building a login, where the logged in users are
stored in a table logins. To make it shure and documented the users have
entered a password I want to store the MD5(pw) in logins. To make it
impossible to fake logins entries I plan to store the MD5(MD5(pw)) in
the users table and use this for authentication purposes.

This seems like a good idea to me. Does anybody see any flaws?

Thx,
Joachim

--
"... ein Geschlecht erfinderischer Zwerge, die fuer alles gemietet werden
koennen."                            - Bertolt Brecht - Leben des Galilei


Re: MD5(MD5(pw)) OK?

From
Tom Lane
Date:
Joachim Zobel <jzobel@heute-morgen.de> writes:
> I am thinking about building a login, where the logged in users are
> stored in a table logins. To make it shure and documented the users have
> entered a password I want to store the MD5(pw) in logins. To make it
> impossible to fake logins entries I plan to store the MD5(MD5(pw)) in
> the users table and use this for authentication purposes.

> This seems like a good idea to me. Does anybody see any flaws?

Well, for one thing, it would be instantly apparent from the users table
if two users had chosen the same password.

You might want to copy the way things are done in the postgres pg_shadow
table, which from memory is something like MD5(MD5(pw) || username).

            regards, tom lane