Re: Authentication Question

On Tue, Dec 16, 2003 at 10:57:06AM -0600, Bruno Wolff III wrote:
> On Tue, Dec 16, 2003 at 10:54:47 -0500,
>   Jason Hihn <jhihn@paytimepayroll.com> wrote:
>
> > Now if I don't use the built in auth, I have to do permission checks myself.
> > But the bigger problem is I don't want to store plain text passwords in MY
> > users table, so I was going to use md5. But then I checked, and the
> > pg_shadow entry has 'md5' prepended to what I assume is the md5 hash of my
> > password. But when I ask for a md5 hash of my password, I don't get the same
> > number.
>
> I don't know for sure, but I would expect that something is being used as
> a salt. This is normal as it makes using prebuilt dictionaries more
> difficult and prevents you from being able to tell if two accounts
> have the same password just by looking at the hash.

The user name is the salt:

mydb=# create user johndoe with password 'opensesame';
CREATE USER
mydb=# select passwd from pg_shadow where usename = 'johndoe';
               passwd
-------------------------------------
 md5a7350a3bb54a151a858758c7266c57bd
(1 row)

mydb=# select md5('opensesame' || 'johndoe');
               md5
----------------------------------
 a7350a3bb54a151a858758c7266c57bd
(1 row)

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/