| From: | Radosław Smogura <rsmogura(at)softperience(dot)eu> |
|---|---|
| To: | Isak Hansen <isak(dot)hansen(at)gmail(dot)com> |
| Cc: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres |
| Date: | 2011-06-09 07:32:38 |
| Message-ID: | 7732972a11eb9f6d2d3d09de81fb34dc@mail.softperience.eu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, 8 Jun 2011 21:07:12 +0200, Isak Hansen wrote:
> On Wed, Jun 8, 2011 at 11:43 AM, Radosław Smogura
> <rsmogura(at)softperience(dot)eu> wrote:
>>
>> You should actually only consider safty of storing of such passwords
>> in
>> database. If with md5 the password isn't digested like in DIGEST
>> HTTP auth,
>> and only md5 shortcut is transfferd it has no meaning if you will
>> transfer
>> over network clear password or md5 password (ok has if you use same
>> password
>> in at least two services both storing password with md5). On higher
>> level
>> you may note that MD5 is little bit out-dated and it's not
>> considered
>> secure, currently I think only SHA-256 is secure.
>>
>> If you suspect that someone on your network may sniff password use
>> cert auth
>> or kerberos or one of it mutations.
>
> While MD5 is considered broken for certain applications, it's still
> perfectly valid for auth purposes.
Just one tip, if you will trust all of 127.0.0.1 pleas bear in mind,
that everyone who has access to db server may be a db superuser.
Regards,
Radek
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Radosław Smogura | 2011-06-09 07:41:47 | Re: what is the best way of storing text+image documents in postgresql |
| Previous Message | Clemens Schwaighofer | 2011-06-09 06:41:16 | plpgsql function with update and seeing changed data from outside during run |