Re: Encrypted column

From: Tino Wildenhain <tino(at)wildenhain(dot)de>
To: Marko Kreen <markokr(at)gmail(dot)com>
Cc: Ranieri Mazili <ranieri(dot)oliveira(at)terra(dot)com(dot)br>, pgsql-general(at)postgresql(dot)org, pgsql-sql(at)postgresql(dot)org
Subject: Re: Encrypted column
Date: 2007-06-05 16:16:09
Message-ID: 46658C49.3010004@wildenhain.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-sql

Marko Kreen schrieb:
> On 6/5/07, Tino Wildenhain <tino(at)wildenhain(dot)de> wrote:
>> Ranieri Mazili schrieb:
>> > Hello,
>> >
>> > I need to store users and passwords on a table and I want to store it
>> > encrypted, but I don't found documentation about it, how can I create a
>> > table with columns "user" and "password" with column "password"
>> > encrypted and how can I check if "user" and "password" are correct
>> using
>> > a sql query ?
>>
>> Passwords are usually not encrypted but hashed instead. A common hash
>> function is available in postgres w/o any additional extension:
>>
>> md5()
>>
>> The rule is, if two hashes compare equal, then the original data must
>> be equal (yes, there are chances for collisions, but practically very
>> low. See also sha1 and friends in the pgcrypto contrib module)
>
> Both md5 and sha1 are bad for passwords, no salt and easy to
> bruteforce - due to the tiny amount of data in passwords.
>
Err. I did not mention salt but nobody prevents you from using
a salt with md5 and sha.

Regards
Tino

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Erik Jones 2007-06-05 16:27:26 Re: Large Database \d: ERROR: cache lookup failed for relation ...
Previous Message Ian Harding 2007-06-05 16:10:01 Re: $libdir

Browse pgsql-sql by date

  From Date Subject
Next Message Marko Kreen 2007-06-05 16:35:29 Re: Encrypted column
Previous Message Steve Atkins 2007-06-05 15:39:32 Re: Encrypted column