Received: from malur.postgresql.org ([2a02:16a8:dc51::56]) by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1frZHQ-0003Pm-8D for pgsql-docs@arkaria.postgresql.org; Mon, 20 Aug 2018 01:46:52 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1frZHL-0007ow-6c for pgsql-docs@arkaria.postgresql.org; Mon, 20 Aug 2018 01:46:47 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1frZ7C-0007A0-39 for pgsql-docs@lists.postgresql.org; Mon, 20 Aug 2018 01:36:18 +0000 Received: from sapphire.openblue.co.nz ([103.16.181.146] helo=mailhub.nz) by magus.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1frZ71-0003su-94 for pgsql-docs@postgresql.org; Mon, 20 Aug 2018 01:36:15 +0000 Received: from [192.168.1.111] (203-118-153-20.wha.wave.co.nz [203.118.153.20]) by mailhub.nz (Postfix) with ESMTPSA id 83E817254C for ; Mon, 20 Aug 2018 13:35:57 +1200 (NZST) To: pgsql-docs@postgresql.org From: Richard Hector Subject: password storage docs Openpgp: preference=signencrypt Autocrypt: addr=richard@walnut.gen.nz; prefer-encrypt=mutual; keydata= xsFNBFVS39cBEADLK9cDB4TE/MiLnFh3bP9smaiUo3C+CtKq2HAcPzNlAydbsgpL2w0EHDZ3 Wpl1bNuAx6jK043o70g+2gt0SiV7ptNHRQRNwt2BImj9bwMcJNlqXVl/YCE5e2BArXLZuZcw PC6jgz2erDblL9D1+nd03j3HYgTx+L2Ts8uaokdq28wfC2if05E8ENMqHOPVa293LD4WqZGs sr+pUpUK3cdzmgyfLka32T8emwmVXiTBcIwEJxv/ASJQ02UmRIksrbCal8ATsiKDq9yXdSwK 1B2OftTD+/yJihUfc/jDuZt7P2r0pHxUF2axa4CHTvG+6r52Z0Vrx4W4XQ4qyZ7JDpYpnA+3 FSFu6P7ebIq4of47NrqnE/2Leild67/4FN9wZmgyWcZPH4+2t9se9jeQNff4k+NiAWaciHUx 8FDFxBMiW5ARirt+Ec2WjexJ2vjD/A/C5l5sMbZu8S/v/0vkIzd+V1BR0IlbGDftGZdefU9i acsL7XN/1NCpVostG+YSI1QsnGaMhpLEtglw4Tmp6dCN3f9XezoXmn1IMtFyIxsKdYBhiNzX XQu/par+X5H2OBuXzOh4DbZ1r/YV4adflbZVmcxVN3HfrzLJViBmXWDxHfJytDU8QLVWzNRa NJ6PjPuD4KJvzDivMXTtBSRaxy5BLvnIVyIcIgAldCP3kwwDbwARAQABzSxSaWNoYXJkIEhl Y3RvciA8cmljaGFyZEByaWNoYXJkaGVjdG9yLmNvLm56PsLBlAQTAQgAPgIbAwULCQgHAgYV CAkKCwIEFgIDAQIeAQIXgBYhBBMM939vq+ecpwnKdDn+2exNOUNuBQJbbNPbBQkH+yeEAAoJ EDn+2exNOUNu8FkQALh0s97IqIG08LKDPqx83jF6PX4gYy/x+7zyC39ImQaLISQMwZJMRib2 SrxmiuzPDlOZB2UADDF/OPo7SFOOMLHmO95Djr6VZqVcNnqRkhHBrtKEPFD4lziIu73QdPEv tvj/vQke9vIaJbXBETPyviagE2vCj8EMH1pgF4ReeuFof0eEczisIV9YH2TaEFtOVQr/xYyO 6D2u7F4OqqgE6hYbh2flid2MYh1lXxuQT65b0NoaDpbk3pnVvY+HdX1KCDzYn09ryNRIFKoA Y39cY6iiOzzfXmHvX+PcnEaxCq2y0i2Tlp7teKLPSY5/AG1X2WDKgCLlr5npDW1jNysbbZVL 4RPtnkctMJBYwcmfFVf1RTLaTxY46yJWttPRoY6HqUwpA3AVcxB6YeEADprpPQ1Ihpl7qaH0 hjCZPu7yNmAf7TNiy4ykNAkscfCgrAH28o46iUj8AOTtz9Lqne20xDWTaL/Z1VAiYsHLQmlk uAU4HQAunyI/CsLMdejQSnZMFWZbHrHtNWRhTTNdYOVq24fyaJcxIesopbG97Dkaz2V2vIL3 bpBqDmK1raxMq4chyCIWkowXWCF1y1fkp8vsGJLaLELZR2ai6ZvjTcpY+1hGFa8VEFUHTg2X t2cW0n5RTEICUiWzzhn6BfyNd1AM4AZeFKD7eZY1ru6a1XnZYbnfzsFNBFVS39cBEADqG4ar g283NdVGS0pRvyP1AOr19cPI0iKNgKvDHZwLdDSUIgh48b/QT1rpOua+81mpPOYHy4nIGfu6 qTEn//G7eWFQcDizMqb1iEJ9htNvuCVWS78h3131AhLDCdOKL/O72DSu757+li/0XoyZHzXp 8QMeYqpzEkzLqZswehbDnnVLtQe1jmgbnDgF9dN8x/LGNokgul3eLM5lCzZmDcZSPCUZbvi5 TkP56oKu3QF48nvcguJWoS8nIRNiRZ59X9IvIaTZ0yABzl5dKJ5a29zLW/AimVwhoWMyB9J5 h/4O/7DEJZtLAHLpb1kTHptXzx60Mn9A7reUM+w9pFkfQbXTEdmgHo48lsAMUXW+Q/+Jyh4j A0SOhbB6Lm8ja5TrcBebz8bBIQi3uWquwBob5Hss9Wd+dPKERwcKAbh+9QEsOdz6DB9kXtNT FksbsXf62d3Ydg2h3Bl7Tfy1nV+eEB2L2DuIs6o3IWgtiOIoP0BL/yUvbC0A+7X/fCzk+FbP ohPDt2jw2kAolwXtsq4OYE61CsNEx5gUK+taMz3qsWUb9Q/lWUTXToNCe9MTfyrr6wfFXoDy AYy2cQQ33c5bRDTrP8xiKmbxOa+s/QKjejwC2+XC2mkpqMdpG2rDa8ON3dRU7DxVxdSqGIr2 nXgOf+BTORnHYAOfXtE4iNcXzQGX0QARAQABwsF8BBgBAgAmAhsMFiEEEwz3f2+r55ynCcp0 Of7Z7E05Q24FAlts0+0FCQf7J5YACgkQOf7Z7E05Q25Nrg/7BAD93+j7fV5GD20DjjRxzHsg 7U/E3OiIbYIP74jJFtl+RyCTa1KsOgLpvdCoYK7239DDdmM+G3vSoga1PVuPH+lklbkGi65+ 1VHufo1gYLBKaITzr/F6ZntLEhoEY9965if/kBP3NvwM8y4xCsYvc7CGDxXGeopoHuKtikrR Cf0EdjI7mpQRHoSEo0xdGSLS8xMG9MxApTLM+iKDgx1CAW2xtHZKPK0kP2Xp+5O52v6P5rHf KW+BAW88TRz57yotgaHMQoR33mtUylEpjxnSTimuR/SsYkb1JlyqlhxSU1r859WCsbxFR2Zc cCdp55TRarMgNvTt7CaNqHRWKP+IFdZIXqKT25EqvWpdxJpgD6v07rn/RNbg9wWrlz/Ip29k AsZPqlco18KX+KsnI3Uu2ne3AY29NUiMKDstNWHMtzLCVJJf/X0yjAdxEJ+p3SBM7tBhyr5M aoRdJvVzIK4kNrTXHV97/Tj2t9rA5ADe3xMHCncIfQhfbeUftRtVr3n7LKC5Jbd3LXXUuS/M RK3o+0alxHnXnkiViWQrJJC1QLFb9McOCLhhVg2T6z/v6gJM4mysr9dIP1SGhu+kjgGuMHJU 7v/GAwKxLe26XjkdMSxQy65GK+ls7zwouCUlfDPic3SdowNd90cYEPKjunL4sjPNbTRLaLyY 1MxLnKHi1Uo= Message-ID: <2da8edec-c930-bd42-1ba0-a8ed172c80f4@walnut.gen.nz> Date: Mon, 20 Aug 2018 13:35:56 +1200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk Hi, Sending this as requested by xocolatl on #postgresql (irc). On discovering that (md5) password hashes are stored in postgres in a manner similar to this: 'md5' || md5('the most secret password' || 'username') i.e. without the use of a random salt, it was suggested I should look into the scram alternative. I can't find information about the storage format for that at all - other than "... and supports storing passwords on the server in a cryptographically hashed form that is thought to be secure." It would be nice to see more information on this. Thanks, Richard