> On Wed, Feb 04, 2009 at 09:34:56AM -0500, Raymond C. Rodgers wrote:
> > You don't need to depend on an external library for this
> functionality;
> > it's built right into Postgres. Personally, in my own apps I write in
> > PHP, I use a combination of sha1 and md5 to hash user passwords,
> > without depending on Postgres to do the hashing, but the effect is
> > basically the same.
>
> Doing the hashing outside PG would reduce the chance of the password
> being exposed, either accidentally by, say, turning on statement
> logging, or maliciously. A general rule with passwords is to throw
> away
> any copy of a plain text password as quickly as possible, sending the
> password over to another process would go against this.
>
Agreed. Another benefit of this is the hashing support in PHP is more
flexible. I personally use the hash() function to get a SHA-256 hash
instead of the weaker sha1 or md5.