Обсуждение: md5 hashing of user passwords
At registration, a user's password is encrypted by php's md5 and stored in a client login table. On login, the client's password as provided in a login form, is run through md5 hashing and submitted to the server for authentication. Pretty standard stuff! BUT authentication always fails. To get a grip on this, I set up a record with a specific password. For some reason I cannot understand, the md5 hash written into postgresql does not correspond with the echoing back of the hash at login attempts. In both instances, the hashing is consistent. The login is performed under ssl. Changing it to run under http makes no difference - the hashing remains the same. The data base provides a character varying(32) column for the hashed password. Can someone help me out of this morass??? Much appreciated!
We add the username to the md5 hash. See the libpq code for an example, PQencryptPassword(). --------------------------------------------------------------------------- G. J. Walsh wrote: > At registration, a user's password is encrypted by php's md5 and stored > in a client login table. > > On login, the client's password as provided in a login form, is run > through md5 hashing and submitted to the server for authentication. > Pretty standard stuff! > > BUT authentication always fails. > > To get a grip on this, I set up a record with a specific password. For > some reason I cannot understand, the md5 hash written into postgresql > does not correspond with the echoing back of the hash at login attempts. > > In both instances, the hashing is consistent. > > The login is performed under ssl. Changing it to run under http makes no > difference - the hashing remains the same. > > The data base provides a character varying(32) column for the hashed > password. > > Can someone help me out of this morass??? > > Much appreciated! > > -- > Sent via pgsql-novice mailing list (pgsql-novice@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-novice -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +