On Wed, 8 Jun 2011 21:07:12 +0200, Isak Hansen wrote:
> On Wed, Jun 8, 2011 at 11:43 AM, Radosław Smogura
> <rsmogura@softperience.eu> wrote:
>>
>> You should actually only consider safty of storing of such passwords
>> in
>> database. If with md5 the password isn't digested like in DIGEST
>> HTTP auth,
>> and only md5 shortcut is transfferd it has no meaning if you will
>> transfer
>> over network clear password or md5 password (ok has if you use same
>> password
>> in at least two services both storing password with md5). On higher
>> level
>> you may note that MD5 is little bit out-dated and it's not
>> considered
>> secure, currently I think only SHA-256 is secure.
>>
>> If you suspect that someone on your network may sniff password use
>> cert auth
>> or kerberos or one of it mutations.
>
> While MD5 is considered broken for certain applications, it's still
> perfectly valid for auth purposes.
Just one tip, if you will trust all of 127.0.0.1 pleas bear in mind,
that everyone who has access to db server may be a db superuser.
Regards,
Radek