On Wed, Feb 04, 2009 at 09:34:56AM -0500, Raymond C. Rodgers wrote:
> You don't need to depend on an external library for this functionality;
> it's built right into Postgres. Personally, in my own apps I write in
> PHP, I use a combination of sha1 and md5 to hash user passwords,
> without depending on Postgres to do the hashing, but the effect is
> basically the same.
Doing the hashing outside PG would reduce the chance of the password
being exposed, either accidentally by, say, turning on statement
logging, or maliciously. A general rule with passwords is to throw away
any copy of a plain text password as quickly as possible, sending the
password over to another process would go against this.
--
Sam http://samason.me.uk/