Re: field with Password

You should always salt your password hashes.

Ie randomly generate a salt string, the store this and the password hash:

insert into auth (user_id, salt, password) values
(1,'blah',md5('blah' + 'test')) ;

then to check the password

select true from auth where user_id = 1 and password = md5( salt +
'test') ;

I tend to set a trigger function to auto generate a salt and hash the
password.

If you want to be really secure, use both a md5 and sha1 hash, snice it
has been proved you can generate hash collisions so you could use:

insert into auth (user_id, salt, password) values
(1,'blah',md5('blah' || 'test') || sha1('blah' || 'test')) ;

then to check the password

select true from auth where user_id = 1 and password = md5( salt
|| 'test') || sha1( salt || 'test') ;

Chris Ellis

"Raymond C. Rodgers" <sinful622(at)gmail(dot)com>
Sent by: pgsql-general-owner(at)postgresql(dot)org
04/02/2009 14:34

To
Iñigo Barandiaran <ibarandiaran(at)vicomtech(dot)org>
cc
pgsql-general(at)postgresql(dot)org
Subject
Re: [GENERAL] field with Password

Iñigo Barandiaran wrote:
Thanks!

Ok. I've found http://256.com/sources/md5/ library. So the idea is to
define in the dataBase a Field of PlainText type. When I want to insert a
new user, I define a password, convert to MD5 hash with the library and
store it in the DataBase. Afterwards, any user check should get the
content of the DataBase of do the inverse process with the library. Is it
correct?

Thanks so much!!!!!!

Best,

Well, you can use the built-in md5 function for this purpose. For
instance, you could insert a password into the table with a statement
like:

insert into auth_data (user_id, password) values (1, md5('test'));

And compare the supplied password with something like:

select true from auth_data where user_id = 1 and password = md5('test');

You don't need to depend on an external library for this functionality;
it's built right into Postgres. Personally, in my own apps I write in PHP,
I use a combination of sha1 and md5 to hash user passwords, without
depending on Postgres to do the hashing, but the effect is basically the
same.

Raymond

******************************************************************************
If you are not the intended recipient of this email please do not send it on
to others, open any attachments or file the email locally.
Please inform the sender of the error and then delete the original email.
For more information, please refer to http://www.shropshire.gov.uk/privacy.nsf
******************************************************************************