Thread: storing passwords

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2005-04-06, Cima scribbled these
curious markings:
> what id like to know is if there is a way of storing these passwords as =
> nonplain text or in an encrypted form. i know mysql has an internal =
> function/datatype that when specified, it encrypts the values given.  is =
> there anything like this in postgresql 8.0.1?
> if not, any sugestions on how to store these passwords?=20

What I do is receive the password from the user, take the SHA512 (yes,
SHA512; I'm thinking ahead), and then either store it in the database
(if they're changing their password or registering) or receive the
already-stored value from the database and see if the two digests are
equal. So long as you encrypt the password before passing it to the
database, there'll only be one instance of the password being sent in
cleartext: from the user's browser to your server. And you can fix that
with SSL.

By the way, please refrain from using HTML in your electronic
correspondence. Those of us with text clients (like mine) are unable to
read messages posted solely in HTML.

Best Regards,
Christopher Nehren
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCU4ONk/lo7zvzJioRAgJHAJ9fim8iQINpLlPqx36i6nT2VNu8LwCgnz3D
pxlP06sdnxZPRvkC8Nbflas=
=i7Xc
-----END PGP SIGNATURE-----

--
I abhor a system designed for the "user", if that word is a coded
pejorative meaning "stupid and unsophisticated". -- Ken Thompson
If you ask the wrong questions, you get answers like "42" and "God".
Unix is user friendly. However, it isn't idiot friendly.

On Wednesday 06 April 2005 00:34, Christopher Nehren wrote:
> On 2005-04-06, Cima scribbled these
>
> curious markings:
> > what id like to know is if there is a way of storing these
> > passwords as nonplain text or in an encrypted form. i know
> > mysql has an internal function/datatype that when
> > specified, it encrypts the values given.  is there anything
> > like this in postgresql 8.0.1?
> > if not, any sugestions on how to store these passwords?
>
> What I do is receive the password from the user, take the
> SHA512 (yes, SHA512; I'm thinking ahead), and then either store
> it in the database (if they're changing their password or
> registering) or receive the already-stored value from the
> database and see if the two digests are equal. So long as you
> encrypt the password before passing it to the database,
> there'll only be one instance of the password being sent in
> cleartext: from the user's browser to your server. And you can
> fix that with SSL.

Making some kind of digest of a password is nice in that now all
digests of passwords are the same length.  The problem with just
using the password by itself is that if two users somehow have
the same password, the digests will be the same as well.  If you
combine the UserID with the password before taking the digest,
then even if two users have the same passwords, the digests will
be different.  Which I believe is a better situation.

Gord

On Apr 6, 2005, at 2:44 AM, Cima wrote:

>
> what id like to know is if there is a way of storing these passwords
> as nonplain text or in an encrypted form. i know mysql has an internal
> function/datatype that when specified, it encrypts the values given.
>  is there anything like this in postgresql 8.0.1?
> if not, any sugestions on how to store these passwords?

You can use the built in md5 function to generate a digest for the user
name and password. This is what PostgreSQL uses.

John DeSoi, Ph.D.
http://pgedit.com/
Power Tools for PostgreSQL