如何在postgresql哈希密码？ [英] How can I hash passwords in postgresql?

问题描述

我需要在postgresql上使用salt哈希一些密码，我还没有找到任何有关如何完成这些工作的相关文档。

那么如何在postgresql中对密码进行哈希处理呢？

解决方案

自从我提出这个问题以来，我已经有一段时间了，我现在更熟悉加密理论，所以这里是更现代的方法：

推理

• 不要使用md5。不要使用单个周期的sha-family快速哈希。快速哈希帮助攻击者，所以你不想要。


• 使用资源密集型哈希，如bcrypt。


• 不要打扰你自己的盐，你可能扭曲自己的安全性或可移植性，依靠gen_salt（）


• 一般来说，不要是一个白痴，不要试图写自己的本土加密，只是使用

Debian / Ubuntu安装包

  sudo apt-get install postgresql //（当然）
 sudo apt-get install postgresql-contrib libpq-dev //（gets bcrypt，crypt（）and gen_salt（））
 sudo apt-get install php5-pgsql //（可选，如果你使用postgresql与php）
  

在数据库的postgresql中激活crypt（）和bcrypt

  //先创建数据库，然后：
 cd`pg_config --sharedir` //移动到包含这些脚本的postgres目录。 
 echocreate extension pgcrypto| psql -d yOuRdATaBaSeNaMe //启用pgcrypo扩展
  

在查询中使用crypt（）和gen_salt / h2>

比较：传递到现有的哈希：

  select * from accounts其中password_hash = crypt（：pass，password_hash）; 
 //（注意现有哈希是如何用作自己的个性化盐）
  

（密码）值：crypt（：password，gen_salt（''''''） bf'，8））;
//（8是工作因子）

From-in-Php bcrypt hashing

在php 5.5及以上版本中有密码_ * 函数允许简单的密码哈希与bcrypt关于时间！），并且有一个向下兼容性库下面的版本。 一般来说，散列会回退到包装一个linux系统调用以降低CPU使用率，不过您可能想要确保它安装在您的服务器上。请参阅： https://github.com/ircmaxell/password_compat （需要php 5.3.7 +） p>

注意日志记录

请注意，使用pg_crypto时，密码以纯文本形式从浏览器传输，到php，到数据库。这意味着如果您不小心使用数据库日志，则可以从查询中以纯文本格式记录 。例如有一个postgresql慢查询日志可以捕获和记录正在进行的登录查询的密码。

总结

使用php bcrypt如果可以，它会减少密码保持未破解的时间。尝试确保您的linux系统已安装bcrypt在它的 crypt（），所以这是performant。强烈建议升级到至少php 5.3.7+，因为php的实现从php 5.3.0到5.3.6.9略有bug，不适当地落回破坏的 DES 没有

如果你想要/需要in-postgres哈希，安装bcrypt是一种方法，因为默认安装的哈希是旧的，破损（md5等）。

以下是有关此主题的更多阅读的参考资料：

• http://codahale.com/how-to-safely- store-a-password /


• http://www.postgresql.org/docs/9.2/static/pgcrypto.html


• https://github.com/ircmaxell/password_compat

I need to hash some passwords with salt on postgresql, and I haven't been able to find any relevant documentation on how to get that done.

So how can I hash passwords (with some salts) in postgresql?

解决方案

It's been a while since I asked this question, and I'm much more familiar with the cryptographic theory now, so here is the more modern approach:

Reasoning

• Don't use md5. Don't use a single cycle of sha-family quick hashes. Quick hashes help attackers, so you don't want that.
• Use a resource-intensive hash, like bcrypt, instead. Bcrypt is time tested and scales up to be future-proof-able.
• Don't bother rolling your own salt, you might screw up your own security or portability, rely on gen_salt() to generate it's awesome unique-to-each-use salts on it's own.
• In general, don't be an idiot, don't try to write your own homegrown crypto, just use what smart people have provided.

Debian/Ubuntu install packages

sudo apt-get install postgresql   // (of course)
sudo apt-get install postgresql-contrib libpq-dev   // (gets bcrypt, crypt() and gen_salt())
sudo apt-get install php5-pgsql   // (optional if you're using postgresql with php)

Activate crypt() and bcrypt in postgresql in your database

// Create your database first, then:
cd `pg_config --sharedir` // Move to the postgres directory that holds these scripts.
echo "create extension pgcrypto" | psql -d yOuRdATaBaSeNaMe // enable the pgcrypo extension

Use crypt() and gen_salt() in queries

Compare :pass to existing hash with:

select * from accounts where password_hash = crypt(:pass, password_hash);
//(note how the existing hash is used as its own individualized salt)

Create a hash of :password with a great random salt:

insert into accounts (password) values crypt(:password, gen_salt('bf', 8));
//(the 8 is the work factor)

From-in-Php bcrypt hashing is slightly preferrable

There are password_* functions in php 5.5 and above that allow trivially simple password hashing with bcrypt (about time!), and there is a backward compatibility library for versions below that. Generally that hashing falls back to wrapping a linux system call for lower CPU usage anyway, though you may want to ensure it's installed on your server. See: https://github.com/ircmaxell/password_compat (requires php 5.3.7+)

Be careful of logging

Note that with pg_crypto, the passwords are in plaintext all during the transmission from the browser, to php, to the database. This means they can be logged in plaintext from queries if you're not careful with your database logs. e.g. having a postgresql slow query log could catch and log the password from a login query in progress.

In Summary

Use php bcrypt if you can, it'll lessen the time that the password remains unhashed. Try to ensure your linux system has bcrypt installed in it's crypt() so that is performant. Upgrade to at least php 5.3.7+ is highly recommended as php's implementation is slightly buggy from php 5.3.0 to 5.3.6.9, and inappropriately falls back to the broken DES without warning in php 5.2.9 and lower.

If you want/need in-postgres hashing, installing bcrypt is the way to go, as the default installed hashes are old and broken (md5, etc).

Here are references for more reading on the topic:

• http://codahale.com/how-to-safely-store-a-password/
• http://www.postgresql.org/docs/9.2/static/pgcrypto.html
• https://github.com/ircmaxell/password_compat

这篇关于如何在postgresql哈希密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！