Thread: Storing sensitive data

You could use md5() described in:

http://www.postgresql.org/docs/current/static/functions-string.html

Rgds.
g.-




--
/"\   ASCII Ribbon Campaign  .
\ / - NO HTML/RTF in e-mail  .
X  - NO Word docs in e-mail .
/ \ -----------------------------------------------------------------

The usual way of doing this is by not storing the password, but
instead an MD5 representation of the password:

INSERT INTO users (username, password) VALUES ('kevin', MD5('mypassword'))

SELECT * FROM users WHERE username='kevin' AND password=MD5('mypassword');

This does mean that you won't know what your users passwords are, and
that a user can't be reminded of their password, only have it changed,
but these are usually un-important side effects.

Hope this helps,

Neil.

On 3/9/06, Kevin Crenshaw <kcrenshaw@viscient.com> wrote:
>
>
>
> I have a table that stores usernames and passwords and I want to encrypt the
> passwords before they are stored in the database.  Will postgresql do this
> for me, or do I have to do the encryption on the client side?  Could you
> please point me to some instructions on how to accomplish this.
>
>
>
> Thanks for your help,
>
>
>
> kevin
>
>

> I have a table that stores usernames and passwords
> and I want to encrypt the
> passwords before they are stored in the database.
> Will postgresql do this
> for me, or do I have to do the encryption on the
> client side?  Could you
> please point me to some instructions on how to
> accomplish this.
>
> Thanks for your help,
>
> kevin

i found this tutorial to be very helpful...

http://phpsec.org/articles/2005/password-hashing.html

it uses php, but i'm sure you could translate into
whatever language you are using.

i also found this helpfule, too.

http://www.sitepoint.com/article/users-php-sessions-mysql

it uses mysql, but i easily applied to my favorite db
- postgresql.  not to mention adapting it to adodb and
my forms class.

between the two, you should get a decent user
management system.

good luck,

oe1

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Neil,

Thanks for your help!  That's exactly what I was looking for.


Kevin

-----Original Message-----
From: Neil Saunders [mailto:n.j.saunders@gmail.com]
Sent: Thursday, March 09, 2006 8:31 AM
To: Kevin Crenshaw
Cc: pgsql-novice@postgresql.org
Subject: Re: [NOVICE] Storing sensitive data

The usual way of doing this is by not storing the password, but
instead an MD5 representation of the password:

INSERT INTO users (username, password) VALUES ('kevin', MD5('mypassword'))

SELECT * FROM users WHERE username='kevin' AND password=MD5('mypassword');

This does mean that you won't know what your users passwords are, and
that a user can't be reminded of their password, only have it changed,
but these are usually un-important side effects.

Hope this helps,

Neil.

On 3/9/06, Kevin Crenshaw <kcrenshaw@viscient.com> wrote:
>
>
>
> I have a table that stores usernames and passwords and I want to encrypt
the
> passwords before they are stored in the database.  Will postgresql do this
> for me, or do I have to do the encryption on the client side?  Could you
> please point me to some instructions on how to accomplish this.
>
>
>
> Thanks for your help,
>
>
>
> kevin
>
>