| From: | "Adam Rich" <adam(dot)r(at)sbcglobal(dot)net> |
|---|---|
| To: | "'Sam Mason'" <sam(at)samason(dot)me(dot)uk>, <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: ramblings about password exposure (WAS: field with Password) |
| Date: | 2009-02-04 22:18:23 |
| Message-ID: | 0b1501c98716$7f1c6f50$7d554df0$@r@sbcglobal.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> On Wed, Feb 04, 2009 at 09:34:56AM -0500, Raymond C. Rodgers wrote:
> > You don't need to depend on an external library for this
> functionality;
> > it's built right into Postgres. Personally, in my own apps I write in
> > PHP, I use a combination of sha1 and md5 to hash user passwords,
> > without depending on Postgres to do the hashing, but the effect is
> > basically the same.
>
> Doing the hashing outside PG would reduce the chance of the password
> being exposed, either accidentally by, say, turning on statement
> logging, or maliciously. A general rule with passwords is to throw
> away
> any copy of a plain text password as quickly as possible, sending the
> password over to another process would go against this.
>
Agreed. Another benefit of this is the hashing support in PHP is more
flexible. I personally use the hash() function to get a SHA-256 hash
instead of the weaker sha1 or md5.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Raymond O'Donnell | 2009-02-04 22:38:00 | Re: Elapsed time between timestamp variables in Function |
| Previous Message | Nico Callewaert | 2009-02-04 21:59:17 | Elapsed time between timestamp variables in Function |