Re: storing passwords

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2005-04-06, Cima scribbled these
curious markings:
> what id like to know is if there is a way of storing these passwords as =
> nonplain text or in an encrypted form. i know mysql has an internal =
> function/datatype that when specified, it encrypts the values given.  is =
> there anything like this in postgresql 8.0.1?
> if not, any sugestions on how to store these passwords?=20

What I do is receive the password from the user, take the SHA512 (yes,
SHA512; I'm thinking ahead), and then either store it in the database
(if they're changing their password or registering) or receive the
already-stored value from the database and see if the two digests are
equal. So long as you encrypt the password before passing it to the
database, there'll only be one instance of the password being sent in
cleartext: from the user's browser to your server. And you can fix that
with SSL.

By the way, please refrain from using HTML in your electronic
correspondence. Those of us with text clients (like mine) are unable to
read messages posted solely in HTML.

Best Regards,
Christopher Nehren
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCU4ONk/lo7zvzJioRAgJHAJ9fim8iQINpLlPqx36i6nT2VNu8LwCgnz3D
pxlP06sdnxZPRvkC8Nbflas=
=i7Xc
-----END PGP SIGNATURE-----

--
I abhor a system designed for the "user", if that word is a coded
pejorative meaning "stupid and unsophisticated". -- Ken Thompson
If you ask the wrong questions, you get answers like "42" and "God".
Unix is user friendly. However, it isn't idiot friendly.