Hi,
Sending this as requested by xocolatl on #postgresql (irc).
On discovering that (md5) password hashes are stored in postgres in a
manner similar to this:
'md5' || md5('the most secret password' || 'username')
i.e. without the use of a random salt, it was suggested I should look
into the scram alternative.
I can't find information about the storage format for that at all -
other than "... and supports storing passwords on the server in a
cryptographically hashed form that is thought to be secure."
It would be nice to see more information on this.
Thanks,
Richard
On Mon, Aug 20, 2018 at 01:35:56PM +1200, Richard Hector wrote: > I can't find information about the storage format for that at all - > other than "... and supports storing passwords on the server in a > cryptographically hashed form that is thought to be secure." > > It would be nice to see more information on this. The SCRAM verifiers stored conform to RFC 5803: https://tools.ietf.org/html/rfc5803. This is mentioned in the comments of auth-scram.c. Do you think that mentioning that in this paragraph of this doc would be useful? We could for example append "as defined in RFC 5803" in the last sentence. -- Michael
Сайт использует файлы cookie для корректной работы и повышения удобства. Нажимая кнопку «Принять» или продолжая пользоваться сайтом, вы соглашаетесь на их использование в соответствии с Политикой в отношении обработки cookie ООО «ППГ», в том числе на передачу данных из файлов cookie сторонним статистическим и рекламным службам. Вы можете управлять настройками cookie через параметры вашего браузера