Mysql , postgres and passwords

1091234017000

Many developers particularly those who work in a LAMP enviorenment use the password() function of mysql to encode the passwords that they store in their database. This function is not supposed to be very secure but people use it anyway - in fact I have also been guilty of this crime at times.

On the other hand I have seen $1000 applications that store the password in clear text. These poor losers argue that if someone gains unauthorized access to your database you are in big trouble anyway. That is not the point. Passwords should be one way hashed to protect them from friendly eyes as well as those of the intruders.

No self respecting system administrator or DBA will want to take a peek at your password on purpose but sometimes when doing routine administration it's simply impossible not to see the contents of the password field if it's not encrypted - as they say lead us not into temptation.

In any event postgres does not have the same password() function that you find in mysql so you have to encode the password yourself. Now if we had all done things right the first time our PHP code would do the encryption for us instead of relying on the mysql function. Since programmers are lazy by nature it's not done that way.

Changing your PHP script not to use the password function is is a simple task. You only need one line of code to create an MD5 hash in php - not so with java. Though it is said that you can program with java with little knowledge of what lies under the hood - cryptography is one exception. In this case it is PHP that hides all the gory details while java assumes that you would know how the internal combustion engine worked.

comments powered by Disqus