On Dec 25, 2012, at 1:59 PM, Tomas Vondra wrote: > Hi, > > I'm a sqlalchemy newbie and I'm evaluating it on one of my projects. I > do have a fair bit of experience with various ORM tools so I solved most > of the issues I ran into, but I got stuck on hashed passwords. > > Imagine a simple table with info about application users > > CREATE TABLE users ( > id INT PRIMARY KEY, > login TEXT NOT NULL UNIQUE, > pwhhash TEXT NOT NULL > ) > > where the pwdhash is a hashed password. I'm using PostgreSQL, which > contains a 'pgcrypto' extension with various hashing functions, and a > common way to store a hashed password with a random salt is this: > > In short I'm looking for a solution that > > 1) keeps the password hashing / validation in the DB > 2) works transparently with a 'User' class, i.e. allows me to set or > change the password but does not require it unless necessary > 3) does not fetch the password hash all the time
The recipe for this at http://www.sqlalchemy.org/trac/wiki/UsageRecipes/ had fallen out of date, so I replaced it with a new one using current hybrid techniques which you can see using PG's crypt()/gen_salt() functions here: http://www.sqlalchemy.org/trac/wiki/UsageRecipes/DatabaseCrypt . I do tend to do the crypt() in the app side instead. The unencrypted password isn't sent over the wire and won't show up in a SQL log. But it's good to see PG is supporting blowfish at least. -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
