| From: | Murray Cumming <murrayc(at)murrayc(dot)com> |
|---|---|
| To: | Peter Bex <Peter(dot)Bex(at)xs4all(dot)nl> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Authenticate with hash instead of plaintext password? |
| Date: | 2012-12-16 16:38:37 |
| Message-ID: | 1355675917.11547.6.camel@murrayc-ThinkPad-X220 |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sun, 2012-12-16 at 17:24 +0100, Peter Bex wrote:
> On Sun, Dec 16, 2012 at 04:54:30PM +0100, Murray Cumming wrote:
> > libpq lets me open a connection by specifying a password:
> > http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS
> >
> > Is there any way to specify a hash of the password when connecting, instead of
> > providing the password itself?
>
> What's the use of that?
[snip]
I would not be storing the plaintext password anywhere. That makes it
harder for someone get the plaintext password if they break into the
server, and therefore harder for someone to use that password to break
into another account if the user has used the same password.
There have been plenty of high profile cases recently of password
databases being stolen, with those passwords being in plaintext, or
hashed without a salt, making user accounts on other systems vulnerable.
I'd like to avoid making the same embarrassing mistake.
murrayc(at)murrayc(dot)com
www.murrayc.com
www.openismus.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | aasat | 2012-12-16 16:44:20 | The fastes way to sum array of integers |
| Previous Message | Peter Bex | 2012-12-16 16:24:13 | Re: Authenticate with hash instead of plaintext password? |