[PARTIAL SOLVED] Re: Auth user with postgresql
Piotr Sikora
piotr.sikora at frickle.com
Tue Feb 21 19:19:31 UTC 2012
Hi,
>> postgres_query "SELECT user FROM usertable WHERE user=$user AND
>> pwd=crypt($pass, substr(pwd, 1, 2))";
>
> You should never use any part of whatever you're encrypting as the salt
> because it greatly reduces encryption strength / entropy. By using the
> first two characters of the password as the salt, you're revealing them
> because the salt is stored in the first two characters of the resulting
> crypt() hash:
>
> crypt("test", "te") generates "teH0wLIpW0gyQ"
> crypt("test", "XX") generates "XXF2OrGyU2fzk"
>
> So you may want to use something like this:
>
> postgres_query "SELECT user FROM usertable WHERE user=$user AND
> pwd=crypt($pass, substr($user, 1, 2))";
Except that "pwd" used in the above snipped is not password, but the hash
stored in the database and "pwd=crypt($pass, pwd)" is the correct way to
verify that "$pass" would evaluate to "pwd" hash (so that the password is
correct).
Best regards,
Piotr Sikora < piotr.sikora at frickle.com >
More information about the nginx
mailing list