Re: Encrypted column

From: "Marko Kreen" <markokr(at)gmail(dot)com>
To: "Tino Wildenhain" <tino(at)wildenhain(dot)de>
Cc: "Ranieri Mazili" <ranieri(dot)oliveira(at)terra(dot)com(dot)br>, pgsql-general(at)postgresql(dot)org, pgsql-sql(at)postgresql(dot)org
Subject: Re: Encrypted column
Date: 2007-06-05 14:12:11
Message-ID: e51f66da0706050712u3c59a369n986ae56344912a24@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-sql

On 6/5/07, Tino Wildenhain <tino(at)wildenhain(dot)de> wrote:
> Ranieri Mazili schrieb:
> > Hello,
> >
> > I need to store users and passwords on a table and I want to store it
> > encrypted, but I don't found documentation about it, how can I create a
> > table with columns "user" and "password" with column "password"
> > encrypted and how can I check if "user" and "password" are correct using
> > a sql query ?
>
> Passwords are usually not encrypted but hashed instead. A common hash
> function is available in postgres w/o any additional extension:
>
> md5()
>
> The rule is, if two hashes compare equal, then the original data must
> be equal (yes, there are chances for collisions, but practically very
> low. See also sha1 and friends in the pgcrypto contrib module)

Both md5 and sha1 are bad for passwords, no salt and easy to
bruteforce - due to the tiny amount of data in passwords.

Proper ways is to use crypt() function from pgcrypto module.
Due to historical accident is has bad name which hints at
encryption, actually its only purpose is to hash passwords.
Read more in pgcrypto doc.

--
marko

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Brian Mathis 2007-06-05 14:26:08 Re: Encrypted column
Previous Message Richard Broersma Jr 2007-06-05 14:07:29 Re: CREATE RULE with WHERE clause

Browse pgsql-sql by date

  From Date Subject
Next Message Loredana Curugiu 2007-06-05 14:15:34 Re: [SQL] JOIN
Previous Message Loredana Curugiu 2007-06-05 14:08:44 Re: [SQL] JOIN