Thread: storing passwords
hi,
i dont remember if someone already asked this but here goes.
i have a users table in my database that i will use to control the access of information on my site. its really simple, i have the following:
tusers(username text, password text, accesslevel int)
what id like to know is if there is a way of storing these passwords as nonplain text or in an encrypted form. i know mysql has an internal function/datatype that when specified, it encrypts the values given. is there anything like this in postgresql 8.0.1?
if not, any sugestions on how to store these passwords?
thanx.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2005-04-06, Cima scribbled these curious markings: > what id like to know is if there is a way of storing these passwords as = > nonplain text or in an encrypted form. i know mysql has an internal = > function/datatype that when specified, it encrypts the values given. is = > there anything like this in postgresql 8.0.1? > if not, any sugestions on how to store these passwords?=20 What I do is receive the password from the user, take the SHA512 (yes, SHA512; I'm thinking ahead), and then either store it in the database (if they're changing their password or registering) or receive the already-stored value from the database and see if the two digests are equal. So long as you encrypt the password before passing it to the database, there'll only be one instance of the password being sent in cleartext: from the user's browser to your server. And you can fix that with SSL. By the way, please refrain from using HTML in your electronic correspondence. Those of us with text clients (like mine) are unable to read messages posted solely in HTML. Best Regards, Christopher Nehren -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCU4ONk/lo7zvzJioRAgJHAJ9fim8iQINpLlPqx36i6nT2VNu8LwCgnz3D pxlP06sdnxZPRvkC8Nbflas= =i7Xc -----END PGP SIGNATURE----- -- I abhor a system designed for the "user", if that word is a coded pejorative meaning "stupid and unsophisticated". -- Ken Thompson If you ask the wrong questions, you get answers like "42" and "God". Unix is user friendly. However, it isn't idiot friendly.
On Wednesday 06 April 2005 00:34, Christopher Nehren wrote: > On 2005-04-06, Cima scribbled these > > curious markings: > > what id like to know is if there is a way of storing these > > passwords as nonplain text or in an encrypted form. i know > > mysql has an internal function/datatype that when > > specified, it encrypts the values given. is there anything > > like this in postgresql 8.0.1? > > if not, any sugestions on how to store these passwords? > > What I do is receive the password from the user, take the > SHA512 (yes, SHA512; I'm thinking ahead), and then either store > it in the database (if they're changing their password or > registering) or receive the already-stored value from the > database and see if the two digests are equal. So long as you > encrypt the password before passing it to the database, > there'll only be one instance of the password being sent in > cleartext: from the user's browser to your server. And you can > fix that with SSL. Making some kind of digest of a password is nice in that now all digests of passwords are the same length. The problem with just using the password by itself is that if two users somehow have the same password, the digests will be the same as well. If you combine the UserID with the password before taking the digest, then even if two users have the same passwords, the digests will be different. Which I believe is a better situation. Gord
On Apr 6, 2005, at 2:44 AM, Cima wrote: > > what id like to know is if there is a way of storing these passwords > as nonplain text or in an encrypted form. i know mysql has an internal > function/datatype that when specified, it encrypts the values given. > is there anything like this in postgresql 8.0.1? > if not, any sugestions on how to store these passwords? You can use the built in md5 function to generate a digest for the user name and password. This is what PostgreSQL uses. John DeSoi, Ph.D. http://pgedit.com/ Power Tools for PostgreSQL