Thread: Storing/Using Passwords

Storing/Using Passwords

From
William Shatner
Date:
Hello,

I am using PostgreSQL 8.0 as a data repository for a Java based system
and I now want to add users to my java program with usernames and
passwords. Is their an encrypted password field I can use in a User
Table to store passwords or what would be the best way to approach
this?

The usernames and passwords will apply for connection to the  to the
java program only. All users will be connecting to the PostgreSQL
database transparently using the same username/password stored in a
properties file to validate their java program username/passwords.

Kind Regards,
Will

Re: Storing/Using Passwords

From
Sean Davis
Date:
You can compute an MD5 hash in Java and store that.  Then, when a user
enters a password, just compare the same MD5 hash to the value stored
in the database.

Sean

On May 18, 2005, at 6:40 AM, William Shatner wrote:

> Hello,
>
> I am using PostgreSQL 8.0 as a data repository for a Java based system
> and I now want to add users to my java program with usernames and
> passwords. Is their an encrypted password field I can use in a User
> Table to store passwords or what would be the best way to approach
> this?
>
> The usernames and passwords will apply for connection to the  to the
> java program only. All users will be connecting to the PostgreSQL
> database transparently using the same username/password stored in a
> properties file to validate their java program username/passwords.
>
> Kind Regards,
> Will
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 8: explain analyze is your friend
>


Re: Storing/Using Passwords

From
Pascual De Ruvo
Date:


On 5/18/05, Sean Davis <sdavis2@mail.nih.gov> wrote:
You can compute an MD5 hash in Java and store that.  Then, when a user
enters a password, just compare the same MD5 hash to the value stored
in the database.


If you use oly the MD5 hash of the username, someone with access to the table could replace an existing password and gain access to the system.

In case you want to add an extra level of security you should make the hash unique to every username in YOUR system, in order to do this, you can concatenate the username, the password, an static text and a dynamic element (can be the OID of the row) , then compute the MD5 hash  and store it in  the users table. Then compute the MD5 hash with the same logic and compare it with the stored value any time you want to authenticate the user.