[PARTIAL SOLVED] Re: Auth user with postgresql

Piotr Sikora piotr.sikora at frickle.com
Tue Feb 21 19:19:31 UTC 2012


Hi,

>> postgres_query    "SELECT user FROM usertable WHERE user=$user AND
>> pwd=crypt($pass, substr(pwd, 1, 2))";
>
> You should never use any part of whatever you're encrypting as the salt
> because it greatly reduces encryption strength / entropy. By using the
> first two characters of the password as the salt, you're revealing them
> because the salt is stored in the first two characters of the resulting
> crypt() hash:
>
> crypt("test", "te") generates "teH0wLIpW0gyQ"
> crypt("test", "XX") generates "XXF2OrGyU2fzk"
>
> So you may want to use something like this:
>
> postgres_query    "SELECT user FROM usertable WHERE user=$user AND
> pwd=crypt($pass, substr($user, 1, 2))";

Except that "pwd" used in the above snipped is not password, but the hash 
stored in the database and "pwd=crypt($pass, pwd)" is the correct way to 
verify that "$pass" would evaluate to "pwd" hash (so that the password is 
correct).

Best regards,
Piotr Sikora < piotr.sikora at frickle.com >



More information about the nginx mailing list