Re: creating table with an encrypted filed

It sort of begs the question: Who is it you're protecting the field
from? Clearly some classes of user need to access the data and some
don't. You can use encryption as a means of access control, certainly,
but typically it's better to just use access control (GRANT and DENY).
Apart from database access, the only way to get access to the tables is
through the filesystem, and if an attacker is in a position to rape your
filesystem, you've probably got much bigger problems.

Passwords are a special case - typically the question you ask about
passwords is 'did the user supply the correct one?' not 'what is the
user's password?' In this circumstance, it is safer to store a hash of
the user's password. My prefered method is to use the MD5 hash of the
user's login name, a ':' (or some other separator) and the user's
password. The addition of the username means that two users who have the
same password won't *look* like they do if someone somehow gets ahold of
the list and tries an offline dictionary attack.

This fails for situations like IMAP non-plaintext authentications where
the server actually has to know the user's plaintext password, but that
sort of thing is beyond the scope of this e-mail. :-)

Retzlaw Heinrich wrote:

> Hello,
> I want to create a table with an encrypted field for a password entry, so
> that you can see only ********.
> And can I encrypt fields which datatype is an integer or a timestamp?
>
> Thank you
> Best regards Heinrich
>
> Heinrich Retzlaw - Software Developer
> ETM Deutschland GmbH
> Adenauerstraße 20-A1, D-52146 Aachen
> Tel. +49/2405/483-0, Fax -707
> E-Mail: hretzlaw(at)etm(dot)at
> Web: http://www.etm.at http://www.praedico.com
>
>
>
> ------------------------------------------------------------------------
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html