Re: Possible to store invalid SCRAM-SHA-256 Passwords
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: raf@raf.org
Cc: pgsql-bugs@lists.postgresql.org
Date: 2019-04-23T14:42:00Z
Lists: pgsql-bugs
Greetings, * raf@raf.org (raf@raf.org) wrote: > Stephen Frost wrote: > > I agree we should also handle md5 better. I realize this needs to be > > back-patched and so we have to deal with the existing catalog structure, > > but this really screams out, in my mind anyway, that we shouldn't have > > ever tried to just stash the password-encoding-type into the password > > field and that we should have pulled it out into its own column, so that > > we aren't having to guess about things as important as a password. > > I don't think there's anything wrong with prefixing a > password hash with an identifier for the password > hashing scheme (and any parameters for that scheme). > This is done all the time in many systems. It just has > to be unambiguoous. There isn't a way to make it unambiguous given that we accept more-or-less anything as a plaintext password though, that would be the issue here.. Thanks! Stephen
Commits
-
Fix detection of passwords hashed with MD5
- a82c06f4001d 9.4.22 landed
- 20dbc84bd002 9.5.17 landed
- af298f00a1e8 9.6.13 landed
-
Fix detection of passwords hashed with MD5 or SCRAM-SHA-256
- 15fe91e70ec6 10.8 landed
- 7f56d43663dd 11.3 landed
- ccae190b916f 12.0 landed