On Wed, Feb 04, 2009 at 09:34:56AM -0500, Raymond C. Rodgers wrote: > You don't need to depend on an external library for this functionality; > it's built right into Postgres. Personally, in my own apps I write in > PHP, I use a combination of sha1 and md5 to hash user passwords, > without depending on Postgres to do the hashing, but the effect is > basically the same.
Doing the hashing outside PG would reduce the chance of the password being exposed, either accidentally by, say, turning on statement logging, or maliciously. A general rule with passwords is to throw away any copy of a plain text password as quickly as possible, sending the password over to another process would go against this. -- Sam http://samason.me.uk/ -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
