On Wed, 8 Jun 2011 21:07:12 +0200, Isak Hansen wrote:
On Wed, Jun 8, 2011 at 11:43 AM, RadosÅaw Smogura
<rsmogura@xxxxxxxxxxxxxxx> wrote:
You should actually only consider safty of storing of such passwords
in
database. If with md5 the password isn't digested like in DIGEST
HTTP auth,
and only md5 shortcut is transfferd it has no meaning if you will
transfer
over network clear password or md5 password (ok has if you use same
password
in at least two services both storing password with md5). On higher
level
you may note that MD5 is little bit out-dated and it's not
considered
secure, currently I think only SHA-256 is secure.
If you suspect that someone on your network may sniff password use
cert auth
or kerberos or one of it mutations.
While MD5 is considered broken for certain applications, it's still
perfectly valid for auth purposes.
Just one tip, if you will trust all of 127.0.0.1 pleas bear in mind,
that everyone who has access to db server may be a db superuser.
Regards,
Radek
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
