On Thu, Apr 29, 2004 at 09:07:16 +0200,
Joolz <joolz@xs4all.nl> wrote:
>
> I want to store passwords in a pg db, MD5 seems like a good way to
> enhance security (no more plaintext passwords over the line etc.) I
> had a look at MD5, in PHP 4.3.4 there is a function md5() which seems
> to work nicely:
This may not help as much as you think. If you are using an ssl connection,
the passwords won't be sent in the clear. If you aren't using an ssl
connection the hashes will be in clear. I don't believe the postgres
uses a random challenge so that you won't really raise the bar much.
Plus if snooping passwords is a threat, most likely snooping data will
be as well (though not always) and forcing connections to use ssl may be
your best bet. I believe as typically used this is vulnerable to man in
the middle attacks, but these are going to be significantly harder to do than
simple snooping.