Обсуждение: Password encryption
Hello,
Is there a way I can encrypt the default password column of db user password. I know by default the password is encrypted as md5, can we encrypt that of shadow column for password?
Thanks in advance
On 04/15/2018 05:22 PM, Azimuddin Mohammed wrote: > Hello, > Is there a way I can encrypt the default password column of db user > password. I know by default the password is encrypted as md5, can we > encrypt that of shadow column for password? Are you talking about this view?: https://www.postgresql.org/docs/10/static/view-pg-shadow.html If so that is only readable by superusers: production=# \c - aklaver You are now connected to database "production" as user "aklaver". production=> select * from pg_shadow ; ERROR: permission denied for relation pg_shadow production=> \c - postgres You are now connected to database "production" as user "postgres". production=# select * from pg_shadow ; usename | usesysid | usecreatedb | usesuper | userepl | usebypassrls | passwd | valuntil | useconfig ... Assuming someone is in your database as a superuser, access to the password field in pg_shadow is pretty much moot. > > Thanks in advance -- Adrian Klaver adrian.klaver@aklaver.com
On 04/15/2018 05:22 PM, Azimuddin Mohammed wrote: > Hello, > Is there a way I can encrypt the default password column of db user > password. I know by default the password is encrypted as md5, can we > encrypt that of shadow column for password? Are you talking about this view?: https://www.postgresql.org/docs/10/static/view-pg-shadow.html If so that is only readable by superusers: production=# \c - aklaver You are now connected to database "production" as user "aklaver". production=> select * from pg_shadow ; ERROR: permission denied for relation pg_shadow production=> \c - postgres You are now connected to database "production" as user "postgres". production=# select * from pg_shadow ; usename | usesysid | usecreatedb | usesuper | userepl | usebypassrls | passwd | valuntil | useconfig ... Assuming someone is in your database as a superuser, access to the password field in pg_shadow is pretty much moot. > > Thanks in advance -- Adrian Klaver adrian.klaver@aklaver.com
On 04/15/2018 07:22 PM, Azimuddin Mohammed wrote:
MD5 is a one-way hash, not an encryption scheme. Thus, the password cannot be reverse-computed from the MD5 hash value. So, you're (kinda) safe, although an attacker could determine the password through brute-force calculation of hashes.
Hello,Is there a way I can encrypt the default password column of db user password. I know by default the password is encrypted as md5, can we encrypt that of shadow column for password?
MD5 is a one-way hash, not an encryption scheme. Thus, the password cannot be reverse-computed from the MD5 hash value. So, you're (kinda) safe, although an attacker could determine the password through brute-force calculation of hashes.
--
Angular momentum makes the world go 'round.
Angular momentum makes the world go 'round.