Re: Encrypted column

From: Guy Rouillier <guyr-ml1(at)burntmail(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Encrypted column
Date: 2007-06-04 22:54:55
Message-ID: 4664983F.4010700@burntmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-sql

Ranieri Mazili wrote:
> Hello,
>
> I need to store users and passwords on a table and I want to store it
> encrypted, but I don't found documentation about it, how can I create a
> table with columns "user" and "password" with column "password"
> encrypted and how can I check if "user" and "password" are correct using
> a sql query ?

Many people consider two-way encryption to be insecure; two-way
encryption means you can decrypt a value if you know the key, and it is
insecure because you usually have to put the key into the source code.
That means at least one person in your company, the programmer
maintaining the source code, can learn all of your users' passwords.
One way around that is to hash the value instead. Then to validate, at
runtime you hash the user-entered password using the same hash function,
and validate that it matches the stored hash. No one in your company
ever knows end-user passwords.

--
Guy Rouillier

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Michael Fuhr 2007-06-05 00:08:35 Re: what to do when pg_cancel_backend() doesnt work?
Previous Message Erwin Brandstetter 2007-06-04 22:41:38 Re: SELECT <all fields except "bad_field"> from mytbl;

Browse pgsql-sql by date

  From Date Subject
Next Message Tino Wildenhain 2007-06-05 07:51:59 Re: Encrypted column
Previous Message Michael Glaesemann 2007-06-04 21:15:21 Re: Inserting a path into Database