Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres

From: Radosław Smogura <rsmogura(at)softperience(dot)eu>
To: Isak Hansen <isak(dot)hansen(at)gmail(dot)com>
Cc: <pgsql-general(at)postgresql(dot)org>
Subject: Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres
Date: 2011-06-09 07:32:38
Message-ID: 7732972a11eb9f6d2d3d09de81fb34dc@mail.softperience.eu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Wed, 8 Jun 2011 21:07:12 +0200, Isak Hansen wrote:
> On Wed, Jun 8, 2011 at 11:43 AM, Radosław Smogura
> <rsmogura(at)softperience(dot)eu> wrote:
>>
>> You should actually only consider safty of storing of such passwords
>> in
>> database. If with md5 the password isn't digested like in DIGEST
>> HTTP auth,
>> and only md5 shortcut is transfferd it has no meaning if you will
>> transfer
>> over network clear password or md5 password (ok has if you use same
>> password
>> in at least two services both storing password with md5). On higher
>> level
>> you may note that MD5 is little bit out-dated and it's not
>> considered
>> secure, currently I think only SHA-256 is secure.
>>
>> If you suspect that someone on your network may sniff password use
>> cert auth
>> or kerberos or one of it mutations.
>
> While MD5 is considered broken for certain applications, it's still
> perfectly valid for auth purposes.

Just one tip, if you will trust all of 127.0.0.1 pleas bear in mind,
that everyone who has access to db server may be a db superuser.

Regards,
Radek

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Radosław Smogura 2011-06-09 07:41:47 Re: what is the best way of storing text+image documents in postgresql
Previous Message Clemens Schwaighofer 2011-06-09 06:41:16 plpgsql function with update and seeing changed data from outside during run