On 26.12.2012 03:38, Michael Bayer wrote: > > On Dec 25, 2012, at 1:59 PM, Tomas Vondra wrote: > >> Hi, >> >> I'm a sqlalchemy newbie and I'm evaluating it on one of my >> projects. I do have a fair bit of experience with various ORM tools >> so I solved most of the issues I ran into, but I got stuck on >> hashed passwords. >> >> Imagine a simple table with info about application users >> >> CREATE TABLE users ( id INT PRIMARY KEY, login TEXT NOT >> NULL UNIQUE, pwhhash TEXT NOT NULL ) >> >> where the pwdhash is a hashed password. I'm using PostgreSQL, >> which contains a 'pgcrypto' extension with various hashing >> functions, and a common way to store a hashed password with a >> random salt is this: >> >> In short I'm looking for a solution that >> >> 1) keeps the password hashing / validation in the DB 2) works >> transparently with a 'User' class, i.e. allows me to set or change >> the password but does not require it unless necessary 3) does not >> fetch the password hash all the time > > The recipe for this at > http://www.sqlalchemy.org/trac/wiki/UsageRecipes/ had fallen out of > date, so I replaced it with a new one using current hybrid techniques > which you can see using PG's crypt()/gen_salt() functions here: > http://www.sqlalchemy.org/trac/wiki/UsageRecipes/DatabaseCrypt .
Awesome! Thanks a lot, I'll try to use this new recipe. > I do tend to do the crypt() in the app side instead. The unencrypted > password isn't sent over the wire and won't show up in a SQL log. > But it's good to see PG is supporting blowfish at least. Yes, that's true. Both options have their pros and cons. regards Tomas -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
