password storage docs

public inbox for [email protected]  
help / color / mirror / Atom feed

password storage docs
2+ messages / 2 participants
[nested] [flat]

* password storage docs
@ 2018-08-20 01:35 Richard Hector <[email protected]>
  2018-08-20 02:46 ` Re: password storage docs Michael Paquier <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Richard Hector @ 2018-08-20 01:35 UTC (permalink / raw)
  To: pgsql-docs

Hi,

Sending this as requested by xocolatl on #postgresql (irc).

On discovering that (md5) password hashes are stored in postgres in a
manner similar to this:

'md5' || md5('the most secret password' || 'username')

i.e. without the use of a random salt, it was suggested I should look
into the scram alternative.

I can't find information about the storage format for that at all -
other than "... and supports storing passwords on the server in a
cryptographically hashed form that is thought to be secure."

It would be nice to see more information on this.

Thanks,

Richard

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: password storage docs
  2018-08-20 01:35 password storage docs Richard Hector <[email protected]>
@ 2018-08-20 02:46 ` Michael Paquier <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Michael Paquier @ 2018-08-20 02:46 UTC (permalink / raw)
  To: Richard Hector <[email protected]>; +Cc: pgsql-docs

On Mon, Aug 20, 2018 at 01:35:56PM +1200, Richard Hector wrote:
> I can't find information about the storage format for that at all -
> other than "... and supports storing passwords on the server in a
> cryptographically hashed form that is thought to be secure."
> 
> It would be nice to see more information on this.

The SCRAM verifiers stored conform to RFC 5803:
https://tools.ietf.org/html/rfc5803.
This is mentioned in the comments of auth-scram.c.  Do you think that
mentioning that in this paragraph of this doc would be useful?  We could
for example append "as defined in RFC 5803" in the last sentence.
--
Michael


Attachments:

  [application/pgp-signature] signature.asc (833B, 2-signature.asc)
  download

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2018-08-20 02:46 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2018-08-20 01:35 password storage docs Richard Hector <[email protected]>
2018-08-20 02:46 ` Michael Paquier <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox