Re: Automatic upgrade of passwords from md5 to scram-sha256
Isaac Morland <isaac.morland@gmail.com>
From: Isaac Morland <isaac.morland@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: "Peter J. Holzer" <hjp-pgsql@hjp.at>, pgsql-general@postgresql.org
Date: 2025-01-13T00:15:57Z
Lists: pgsql-general
On Sun, 12 Jan 2025 at 17:59, Tom Lane <tgl@sss.pgh.pa.us> wrote: > "Peter J. Holzer" <hjp-pgsql@hjp.at> writes: > > The web framework Django will automatically and transparently rehash any > > password with the currently preferred algorithm if it isn't stored that > > way already. > > Really? That implies that the framework has access to the original > cleartext password, which is a security fail already. It happens upon user login. If the user's password is hashed with an old algorithm, it is re-hashed during login when the Django application running on the Web server has the password sent by the user: https://docs.djangoproject.com/en/5.1/topics/auth/passwords/#password-upgrading But of course this only works if the old method in use involves sending the password to the server.