On 7/05/2010 12:01 PM, Craig Ringer wrote:
>
> craig=> create or replace function extract_salt(text) returns text as $$
> craig$> select (regexp_matches($1, E'^(\\$[^\\$]+\\$[^\\$]+)\\$'))[1];
> craig$> $$ language sql immutable;
Upon re-reading the pgcrypto documentation I see that this is unnecessary.
Just pass the password hash as the salt. Pgcrypto will extract the salt
part of the hash its self. (otherwise, how could you check passwords?)
So - just as if you were testing authentication, crypt the user's new
password plaintext against each of the old password hashes using the old
password hash as salt, and see if the output hash is the same as the old
password hash. If it is, they've re-used the password.
--
Craig Ringer