Re: Encrypted column

Marko Kreen schrieb:
> On 6/5/07, Tino Wildenhain <tino@wildenhain.de> wrote:
>> Ranieri Mazili schrieb:
>> > Hello,
>> >
>> > I need to store users and passwords on a table and I want to store it
>> > encrypted, but I don't found documentation about it, how can I create a
>> > table with columns "user" and "password" with column "password"
>> > encrypted and how can I check if "user" and "password" are correct
>> using
>> > a sql query ?
>>
>> Passwords are usually not encrypted but hashed instead. A common hash
>> function is available in postgres w/o any additional extension:
>>
>> md5()
>>
>> The rule is, if two hashes compare equal, then the original data must
>> be equal (yes, there are chances for collisions, but practically very
>> low. See also sha1 and friends in the pgcrypto contrib module)
>
> Both md5 and sha1 are bad for passwords, no salt and easy to
> bruteforce - due to the tiny amount of data in passwords.
>
Err. I did not mention salt but nobody prevents you from using
a salt with md5 and sha.

Regards
Tino