![]() This salt should be protected, because the hashes cannot be broken until the salt is recovered. The salt should be a large randomly generated value. The following is an alright method of hashing passwords: digest("salt"||"password"||primary_key, "sha256") Keep in mind sha0,sha1 md4, and md5 are very broken and should never be used for password hashes. You can use pgcrypto to get access to sha256 which is a member of the sha2 family. but sometimes you still need cryptogrpahic functions in a database. Here is more information on secure password storage. Here are references for more reading on the topic:Īn application should hash its passwords using key derivation function like bcrypt or pbkdf2. If you want/need in-postgres hashing, installing bcrypt is the way to go, as the default installed hashes are old and broken (md5, etc). Upgrade to at least php 5.3.7+ is highly recommended as php's implementation is slightly buggy from php 5.3.0 to 5.3.6.9, and inappropriately falls back to the broken DES without warning in php 5.2.9 and lower. Try to ensure your linux system has bcrypt installed in it's crypt() so that is performant. ![]() Use php bcrypt if you can, it'll lessen the time that the password remains unhashed. having a postgresql slow query log could catch and log the password from a login query in progress. This means they can be logged in plaintext from queries if you're not careful with your database logs. Note that with pg_crypto, the passwords are in plaintext all during the transmission from the browser, to php, to the database. See: (requires php 5.3.7+) Be careful of logging Generally that hashing falls back to wrapping a linux system call for lower CPU usage anyway, though you may want to ensure it's installed on your server. There are password_* functions in php 5.5 and above that allow trivially simple password hashing with bcrypt (about time!), and there is a backward compatibility library for versions below that. (note how the existing hash is used as its own individualized salt)Ĭreate a hash of :password with a great random salt: insert into accounts (password) values crypt(:password, gen_salt('bf', 8)) įrom-in-Php bcrypt hashing is slightly preferrable Sudo apt-get install php5-pgsql // (optional if you're using postgresql with php)Īctivate crypt() and bcrypt in postgresql in your database // Create your database first, then:Ĭd `pg_config -sharedir` // Move to the postgres directory that holds these scripts.Įcho "create extension pgcrypto" | psql -d yOuRdATaBaSeNaMe // enable the pgcrypo extensionĬompare :pass to existing hash with: select * from accounts where password_hash = crypt(:pass, password_hash) Sudo apt-get install postgresql-contrib libpq-dev // (gets bcrypt, crypt() and gen_salt()) In general, don't be an idiot, don't try to write your own homegrown crypto, just use what smart people have provided.ĭebian/Ubuntu install packages sudo apt-get install postgresql // (of course). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |