Re: field with Password

Iñigo Barandiaran <ibarandiaran@xxxxxxxxxxxxx> · Wed, 04 Feb 2009 17:46:05 +0100

Thanks!

This is great. I'm now implementing this functionality.

Thank you all.

You are great!

Best,

  You should always salt your password
hashes.

  Ie randomly generate a salt string,
the store this and the password hash:

          insert
into auth (user_id, salt, password) values (1,'blah',md5('blah' +
'test'))
;

  then to check the password

          select
true from auth where user_id = 1 and password = md5( salt + 'test') ;

  I tend to set a trigger function to
auto generate a salt and hash the password.

  If you want to be really secure, use
both a md5 and sha1 hash, snice it has been proved you can generate
hash
collisions so you could use:

          insert
into auth (user_id, salt, password) values (1,'blah',md5('blah' ||
'test')
|| sha1('blah' || 'test')) ;

  then to check the password

          select
true from auth where user_id = 1 and password = md5( salt || 'test')
 ||
sha1( salt || 'test') ;

  Chris Ellis

        "Raymond C.
Rodgers"
<sinful622@xxxxxxxxx> 

        Sent by:
pgsql-general-owner@xxxxxxxxxxxxxx
        04/02/2009 14:34

              To

              Iñigo Barandiaran
<ibarandiaran@xxxxxxxxxxxxx>

              cc

              pgsql-general@xxxxxxxxxxxxxx

              Subject

              Re:  field
with Password

  Iñigo Barandiaran wrote: 

  Thanks! 

Ok. I've found http://256.com/sources/md5/
library. So the idea is to define in the dataBase a Field of PlainText
type. When I want to insert a new user, I define a password, convert to
MD5 hash with the library and store it in the DataBase. Afterwards, any
user check should get the content of the DataBase of do the inverse
process
with the library. Is it correct? 

Thanks so much!!!!!! 

Best, 

  Well, you can use the built-in md5 function for this
purpose.
For instance, you could insert a password into the table with a
statement
like:

  insert into auth_data (user_id, password) values (1,
md5('test'));

And compare the supplied password with something like:

  select true from auth_data where user_id = 1 and
password
= md5('test');

You don't need to depend on an external library for this functionality;
it's built right into Postgres. Personally, in my own apps I write in
PHP,
I  use a combination of sha1 and md5 to hash user passwords, without
depending on Postgres to do the hashing, but the effect is basically
the
same.

Raymond

  ******************************************************************************
  If
you are not the intended recipient of this email please do not send it
on
  to
others, open any attachments or file the email locally. 
  Please
inform the sender of the error and then delete the original email.
  For
more information, please refer to
http://www.shropshire.gov.uk/privacy.nsf
  ******************************************************************************