Re: Automatic upgrade of passwords from md5 to scram-sha256

Isaac Morland <isaac.morland@gmail.com>

From: Isaac Morland <isaac.morland@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: "Peter J. Holzer" <hjp-pgsql@hjp.at>, pgsql-general@postgresql.org
Date: 2025-01-13T00:15:57Z
Lists: pgsql-general
On Sun, 12 Jan 2025 at 17:59, Tom Lane <tgl@sss.pgh.pa.us> wrote:

> "Peter J. Holzer" <hjp-pgsql@hjp.at> writes:
> > The web framework Django will automatically and transparently rehash any
> > password with the currently preferred algorithm if it isn't stored that
> > way already.
>
> Really?  That implies that the framework has access to the original
> cleartext password, which is a security fail already.


It happens upon user login. If the user's password is hashed with an old
algorithm, it is re-hashed during login when the Django application running
on the Web server has the password sent by the user:

https://docs.djangoproject.com/en/5.1/topics/auth/passwords/#password-upgrading

But of course this only works if the old method in use involves sending the
password to the server.