Re: Password encryption method

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Password encryption method
Date: 2007-01-19 15:41:49
Message-ID: 20070119154149.GA13687@wolff.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, Jan 19, 2007 at 09:31:49 +0100,
Bertram Scharpf <lists(at)bertram-scharpf(dot)de> wrote:
> Hi,
>
> looking at the source code I find out that this works:
>
> sandbox=# create role joe login password 'verysecret';
> CREATE ROLE
> sandbox=# create function validate_user_8_1(text,text) returns boolean immutable language 'sql' as $$ select 'md5'||md5($2||$1) = rolpassword from pg_authid where rolname=$1; $$;
> CREATE FUNCTION
> sandbox=# select validate_user_8_1('joe','verysecret');
> validate_user_8_1
> -------------------
> t
> (1 Zeile)
>
> May I rely on this in future versions or are there more
> sophisticated ways to do it?

I don't know that I would 'rely' on it, but it doesn't seem like something
that is likely to change any time soon. But I could see there being alternate
hash functions being used eventually.

It might make more sense to use your own table of users and hashed passwords
rather than postgres'. This would depend somewhat on the overlap of users who
are using your application and those who connect directly to the database.
If there isn't much overlap, having a separate table is probably better.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Ian Harding 2007-01-19 16:07:55 A Picture is Worth
Previous Message Scott Ribe 2007-01-19 15:08:39 Re: PG not rejecting bad dates (was Re: Finding bogus