On Thu, Apr 29, 2004 at 09:07:16 +0200, Joolz <joolz@xxxxxxxxx> wrote: > > I want to store passwords in a pg db, MD5 seems like a good way to > enhance security (no more plaintext passwords over the line etc.) I > had a look at MD5, in PHP 4.3.4 there is a function md5() which seems > to work nicely: This may not help as much as you think. If you are using an ssl connection, the passwords won't be sent in the clear. If you aren't using an ssl connection the hashes will be in clear. I don't believe the postgres uses a random challenge so that you won't really raise the bar much. Plus if snooping passwords is a threat, most likely snooping data will be as well (though not always) and forcing connections to use ssl may be your best bet. I believe as typically used this is vulnerable to man in the middle attacks, but these are going to be significantly harder to do than simple snooping.
