Re: ramblings about password exposure (WAS: field with Password)

From: Sam Mason <sam(at)samason(dot)me(dot)uk>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: ramblings about password exposure (WAS: field with Password)
Date: 2009-02-04 15:22:47
Message-ID: 20090204152247.GU3008@frubble.xen.chris-lamb.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Wed, Feb 04, 2009 at 09:34:56AM -0500, Raymond C. Rodgers wrote:
> You don't need to depend on an external library for this functionality;
> it's built right into Postgres. Personally, in my own apps I write in
> PHP, I use a combination of sha1 and md5 to hash user passwords,
> without depending on Postgres to do the hashing, but the effect is
> basically the same.

Doing the hashing outside PG would reduce the chance of the password
being exposed, either accidentally by, say, turning on statement
logging, or maliciously. A general rule with passwords is to throw away
any copy of a plain text password as quickly as possible, sending the
password over to another process would go against this.

--
Sam http://samason.me.uk/

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message A.M. 2009-02-04 16:25:50 Re: Pet Peeves?
Previous Message Iñigo Barandiaran 2009-02-04 14:52:42 Re: field with Password