Re: field with Password
| От | Iñigo Barandiaran |
|---|---|
| Тема | Re: field with Password |
| Дата | |
| Msg-id | 4989C64D.2080008@vicomtech.org обсуждение исходный текст |
| Ответ на | field with Password (Iñigo Barandiaran <ibarandiaran@vicomtech.org>) |
| Список | pgsql-general |
Thanks!<br /><br /> This is great. I'm now implementing this functionality.<br /><br /> Thank you all.<br /><br /> You
aregreat!<br /><br /> Best,<br /><blockquote
cite="mid:OFC951B8A8.DA173041-ON80257553.005B3A94-80257553.005BE628@shropshire.gov.uk"type="cite"><br /><font
face="sans-serif"size="2">You should always salt your password hashes.</font><br /><br /><font face="sans-serif"
size="2">Ierandomly generate a salt string, the store this and the password hash:</font><br /><br /><font
face="sans-serif"size="2"> insert into auth (user_id, salt, password) values (1,'blah',md5('blah' + 'test'))
;</font><br/><br /><font face="sans-serif" size="2">then to check the password</font><br /><br /><font
face="sans-serif"size="2"> select true from auth where user_id = 1 and password = md5( salt + 'test')
;</font><br/><br /><br /><font face="sans-serif" size="2">I tend to set a trigger function to auto generate a salt and
hashthe password.</font><br /><br /><br /><br /><font face="sans-serif" size="2">If you want to be really secure, use
botha md5 and sha1 hash, snice it has been proved you can generate hash collisions so you could use:</font><br /><br
/><fontface="sans-serif" size="2"> insert into auth (user_id, salt, password) values (1,'blah',md5('blah' ||
'test')|| sha1('blah' || 'test')) ;</font><br /><br /><font face="sans-serif" size="2">then to check the
password</font><br/><br /><font face="sans-serif" size="2"> select true from auth where user_id = 1 and password
=md5( salt || 'test') || sha1( salt || 'test') ;</font><br /><br /><font face="sans-serif" size="2">Chris
Ellis</font><br/><br /><br /><br /><br /><table width="100%"><tbody><tr valign="top"><td width="40%"><font
face="sans-serif"size="1"><b>"Raymond C. Rodgers" <a class="moz-txt-link-rfc2396E"
href="mailto:sinful622@gmail.com"><sinful622@gmail.com></a></b></font><br /><font face="sans-serif" size="1">Sent
by:<a class="moz-txt-link-abbreviated"
href="mailto:pgsql-general-owner@postgresql.org">pgsql-general-owner@postgresql.org</a></font><p><fontface="sans-serif"
size="1">04/02/200914:34</font></td><td width="59%"><table width="100%"><tbody><tr valign="top"><td><div
align="right"><fontface="sans-serif" size="1">To</font></div></td><td><font face="sans-serif" size="1">Iñigo
Barandiaran<a class="moz-txt-link-rfc2396E"
href="mailto:ibarandiaran@vicomtech.org"><ibarandiaran@vicomtech.org></a></font></td></tr><tr
valign="top"><td><divalign="right"><font face="sans-serif" size="1">cc</font></div></td><td><font face="sans-serif"
size="1"><aclass="moz-txt-link-abbreviated"
href="mailto:pgsql-general@postgresql.org">pgsql-general@postgresql.org</a></font></td></tr><trvalign="top"><td><div
align="right"><fontface="sans-serif" size="1">Subject</font></div></td><td><font face="sans-serif" size="1">Re:
[GENERAL]field with Password</font></td></tr></tbody></table><br /><table><tbody><tr valign="top"><td><br
/></td><td><br/></td></tr></tbody></table><br /></td></tr></tbody></table><br /><br /><br /><font size="3">Iñigo
Barandiaranwrote: </font><br /><font size="3">Thanks! <br /><br /><br /> Ok. I've found </font><a
href="http://256.com/sources/md5/"moz-do-not-send="true"><font color="blue"
size="3"><u>http://256.com/sources/md5/</u></font></a><fontsize="3"> library. So the idea is to define in the dataBase
aField of PlainText type. When I want to insert a new user, I define a password, convert to MD5 hash with the library
andstore it in the DataBase. Afterwards, any user check should get the content of the DataBase of do the inverse
processwith the library. Is it correct? <br /><br /> Thanks so much!!!!!! <br /><br /> Best, <br /></font><br /><font
size="3">Well,you can use the built-in md5 function for this purpose. For instance, you could insert a password into
thetable with a statement like:<br /></font><br /><font size="3">insert into auth_data (user_id, password) values (1,
md5('test'));</font><br/><font size="3"><br /> And compare the supplied password with something like:<br /></font><br
/><fontsize="3">select true from auth_data where user_id = 1 and password = md5('test');</font><br /><font size="3"><br
/>You don't need to depend on an external library for this functionality; it's built right into Postgres. Personally,
inmy own apps I write in PHP, I use a combination of sha1 and md5 to hash user passwords, without depending on
Postgresto do the hashing, but the effect is basically the same.<br /><br /> Raymond</font><br /><p><span
style="font-family:'Courier New'; font-size:
8pt;">******************************************************************************</span><pstyle="line-height:
12pt;"><spanstyle="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>If you are not the intended
recipientof this email please do not send it on</b></span><p style="line-height: 12pt;"><span style="font-family:
'Helv';font-size: 9.7pt; color: rgb(0, 0, 0);"><b>to others, open any attachments or file the email locally.
</b></span><pstyle="line-height: 12pt;"><span style="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0,
0);"><b>Pleaseinform the sender of the error and then delete the original email.</b></span><p style="line-height:
12pt;"><spanstyle="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>For more information, please refer
to<a class="moz-txt-link-freetext"
href="http://www.shropshire.gov.uk/privacy.nsf">http://www.shropshire.gov.uk/privacy.nsf</a></b></span><p><span
style="font-family:'Courier New'; font-size:
8pt;">******************************************************************************</span><p><spanstyle="font-family:
'CourierNew'; font-size: 8pt;"> </span></blockquote><br />
В списке pgsql-general по дате отправления: