Jesse Norell wrote: > Hello, > >> DBMA 2.0.2 uses MD5-Digest (md5sum) by default for MySQL which is a >> built-in since around v4.0 but I am in a quandary with PostgreSQL >> which seems to rely on contribs to handle md5 selects. There also >> seems to be quite a range of options. I wonder what seasoned >> PostgreSQL folks would favour? (Is anyone using PSQL 8-beta?) > > What we do is have the application do all the md5 functions (which > are quite easy in perl) and just pass the actual hash back and forth > between the database. That way you plaintext passwords never cross > the network (assuming your db server is on another computer), so it's > more secure, and it doesn't need any of the pgsql contrib md5 > functions.
We don't bother encrypting the passwords at all.. Granted our db is on a non routable subnet, but we are talking pop and imap after all which transmit the passwords in cleartext over the net anyways, so what's the point? That said, anyone wrapping ssl over imap/pop or anything like that? It's definetely an advantage of a dbmail type setup tho, if an account gets compromised at worst only a users email is affected. ----- "Any sufficiently advanced bug is indistinguishable from a feature." -- Rich Kulawiec [EMAIL PROTECTED]
