| From: | Michael Fuhr <mfuhr+pgsql-general(at)fuhr(dot)org> |
|---|---|
| To: | Jason Hihn <jhihn(at)paytimepayroll(dot)com>, Pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Authentication Question |
| Date: | 2003-12-16 17:09:02 |
| Message-ID: | 20031216170902.GA12909@winnie.fuhr.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Dec 16, 2003 at 10:57:06AM -0600, Bruno Wolff III wrote:
> On Tue, Dec 16, 2003 at 10:54:47 -0500,
> Jason Hihn <jhihn(at)paytimepayroll(dot)com> wrote:
>
> > Now if I don't use the built in auth, I have to do permission checks myself.
> > But the bigger problem is I don't want to store plain text passwords in MY
> > users table, so I was going to use md5. But then I checked, and the
> > pg_shadow entry has 'md5' prepended to what I assume is the md5 hash of my
> > password. But when I ask for a md5 hash of my password, I don't get the same
> > number.
>
> I don't know for sure, but I would expect that something is being used as
> a salt. This is normal as it makes using prebuilt dictionaries more
> difficult and prevents you from being able to tell if two accounts
> have the same password just by looking at the hash.
The user name is the salt:
mydb=# create user johndoe with password 'opensesame';
CREATE USER
mydb=# select passwd from pg_shadow where usename = 'johndoe';
passwd
-------------------------------------
md5a7350a3bb54a151a858758c7266c57bd
(1 row)
mydb=# select md5('opensesame' || 'johndoe');
md5
----------------------------------
a7350a3bb54a151a858758c7266c57bd
(1 row)
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | joseph speigle | 2003-12-16 17:12:17 | selecting into a variable like @var=select ... |
| Previous Message | Peter Eisentraut | 2003-12-16 16:58:21 | Re: Authentication Question |