Re: How passwords can be crypted in postgres?
От | Gordan Bobic |
---|---|
Тема | Re: How passwords can be crypted in postgres? |
Дата | |
Msg-id | 000f01c074ab$85f92060$8000000a@localdomain обсуждение исходный текст |
Ответ на | Re: How passwords can be crypted in postgres? (The Hermit Hacker <scrappy@hub.org>) |
Список | pgsql-general |
> > [...] > > Isn't this just as bad? If you store the encrypted password, that doesn't > > help you in the slightest in this case, because if you can breach the list > > of encrypted passwords, you still know what you need to send as the > > "password" from the front end to let you into the database. > > [...] > > If you encrypt the input from the frontend as well and compare the > encrypted strings it will not help you to look into the list of > encrypted passwords ... or am I wrong? What problem are you trying to defeat? If you are worried about "sniffing" passwords from the traveling packets, then regardless of whether the password field carries a plain text password or scrambled garbage, if you know where the password field is, you can sniff it. If you are simply using this for authentication, then it doesn't matter whether the password is encrypted or not. You are still, effectively, transmitting a "password string" that is used for authentication. The security of passwords, encrypted or otherwise is purely reliant on the security of your database server that stores the data. Does that make sense? Regards. Gordan
В списке pgsql-general по дате отправления: