Skip site navigation (1) Skip section navigation (2)

Re: MD5 in pg and php

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: list-postgresql-php <pgsql-php(at)postgresql(dot)org>
Subject: Re: MD5 in pg and php
Date: 2004-04-29 10:11:29
Message-ID: 20040429101129.GC26489@wolff.to (view raw or flat)
Thread:
Lists: pgsql-php
On Thu, Apr 29, 2004 at 09:07:16 +0200,
  Joolz <joolz(at)xs4all(dot)nl> wrote:
> 
> I want to store passwords in a pg db, MD5 seems like a good way to
> enhance security (no more plaintext passwords over the line etc.) I
> had a look at MD5, in PHP 4.3.4 there is a function md5() which seems
> to work nicely:

This may not help as much as you think. If you are using an ssl connection,
the passwords won't be sent in the clear. If you aren't using an ssl
connection the hashes will be in clear. I don't believe the postgres
uses a random challenge so that you won't really raise the bar much.
Plus if snooping passwords is a threat, most likely snooping data will
be as well (though not always) and forcing connections to use ssl may be
your best bet. I believe as typically used this is vulnerable to man in
the middle attacks, but these are going to be significantly harder to do than
simple snooping.

In response to

Responses

pgsql-php by date

Next:From: Ludwig LimDate: 2004-04-29 11:14:36
Subject: Question regarding session
Previous:From: Marek LewczukDate: 2004-04-29 09:49:41
Subject: Re: MD5 in pg and php

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group