3

Anybody can help me regarding the database postgres? I need to hide the value in table that was created.I need to hide the data password as like below example:

username password ana 123

I want the password appear like * Can anyone help me? Thank you in advance.

Improve this question
4
  • 1
    You can restrict access to tables -- but if the user can query a table then they can see what's in it. Commented Jul 13, 2011 at 2:30
  • 1
    If it is a program that writes passwords to the table, you could encrypt the passwords and then write them to the table. So, when a query to read the table is submitted manually, only encrypted password is shown. Commented Jul 13, 2011 at 2:35
  • How do you check password in login? Always is better to use MD5. Commented Jul 13, 2011 at 3:37
  • I check with thisSQL statement:String sql = "select * from tracker_info_backup where username='"+username+"' and password='"+password+"' "; Commented Jul 15, 2011 at 3:07

3 Answers 3

Reset to default
2

Take a look at pgcrypto module for some more options (like Extended DES crypt and PGP encryption). I don't recommend using MD5, because (IMHO) it's easily breakable nowadays (especially without any salt). Better choice is SHA-512 (or some of SHA-3 candidates: BLAKE, Grøstl etc.).

I think that it's good idea to check your hiding method against some (possibly GPU-accelerated) tools like hashcat. It really depends how valuable data you want to store.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

The usual, and best, way is to store the MD5 of the password and compare that with the MD5 of the password entered. It fairly safe (but brute force can crack it given enough time).

Improve this answer

Comments

1

One standard method of doing that sort of hiding is by creating a view, with all columns except the password column (or all columns, then '*' AS password). For the db user the application uses to connect, grant read access to the view, but remove read access for the source table. That way there is no chance of the application gaining access to the field.

Something like:

CREATE VIEW visible_users AS
  SELECT username, '***' as password
  FROM users;

Then make sure the privileges are managed appropriately:

REVOKE ALL ON users FOR app_user;

That said, you probably shouldn't be storing passwords in a database in plaintext -- it's a major potential security issue.

Improve this answer

3 Comments

ok thank you for the response. I had use md5 for the password. But, when I do a process login in jsp username:ana and password:123, it can't be read the password.If I not set the password to md5 it run smoothly.So, I decided to change to another syntax but I still not find it.How is it?
I'm not sure i follow your question. When using hashed password storage, you hash the password when you insert it into the database. Then, when you check for login, you hash the user input the same way, and compare the hashed values. At no point are you keeping the plaintext password around, so you're not in danger of those getting out.
How to change password using this view?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.