public inbox for [email protected]
help / color / mirror / Atom feedFrom: Isaac Morland <[email protected]>
To: Tom Lane <[email protected]>
Cc: Peter J. Holzer <[email protected]>
Cc: [email protected]
Subject: Re: Automatic upgrade of passwords from md5 to scram-sha256
Date: Sun, 12 Jan 2025 19:15:57 -0500
Message-ID: <CAMsGm5coc93kLUHN81BzYz7j1stBW3BJkgnrcw+GGKxf4ZjUfA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
On Sun, 12 Jan 2025 at 17:59, Tom Lane <[email protected]> wrote:
> "Peter J. Holzer" <[email protected]> writes:
> > The web framework Django will automatically and transparently rehash any
> > password with the currently preferred algorithm if it isn't stored that
> > way already.
>
> Really? That implies that the framework has access to the original
> cleartext password, which is a security fail already.
It happens upon user login. If the user's password is hashed with an old
algorithm, it is re-hashed during login when the Django application running
on the Web server has the password sent by the user:
https://docs.djangoproject.com/en/5.1/topics/auth/passwords/#password-upgrading
But of course this only works if the old method in use involves sending the
password to the server.
view thread (6+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Automatic upgrade of passwords from md5 to scram-sha256
In-Reply-To: <CAMsGm5coc93kLUHN81BzYz7j1stBW3BJkgnrcw+GGKxf4ZjUfA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox