> On Wed, Feb 04, 2009 at 09:34:56AM -0500, Raymond C. Rodgers wrote: > > You don't need to depend on an external library for this > functionality; > > it's built right into Postgres. Personally, in my own apps I write in > > PHP, I use a combination of sha1 and md5 to hash user passwords, > > without depending on Postgres to do the hashing, but the effect is > > basically the same. > > Doing the hashing outside PG would reduce the chance of the password > being exposed, either accidentally by, say, turning on statement > logging, or maliciously. A general rule with passwords is to throw > away > any copy of a plain text password as quickly as possible, sending the > password over to another process would go against this. >
Agreed. Another benefit of this is the hashing support in PHP is more flexible. I personally use the hash() function to get a SHA-256 hash instead of the weaker sha1 or md5. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
