Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tX87r-004ASo-Fp for pgsql-general@arkaria.postgresql.org; Mon, 13 Jan 2025 00:16:15 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tX87q-004VtL-6s for pgsql-general@arkaria.postgresql.org; Mon, 13 Jan 2025 00:16:14 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tX87p-004VtC-SQ for pgsql-general@lists.postgresql.org; Mon, 13 Jan 2025 00:16:14 +0000 Received: from mail-pj1-x1033.google.com ([2607:f8b0:4864:20::1033]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1tX87n-0004de-1u for pgsql-general@postgresql.org; Mon, 13 Jan 2025 00:16:13 +0000 Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-2ee786b3277so4710121a91.1 for ; Sun, 12 Jan 2025 16:16:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736727369; x=1737332169; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=63xR1znCbRaNdE4XFeXJKexCVgDoT085NiV+j2rPHeA=; b=gauackTrV9k5hg8fWdg3fe6U4EIg1EAri6xmP01KXK47/Iv5+O/X6cuIImj2m0hNAg qACzhtGdsZC0CI2CQgTfuY/o8xBXUu09zk032Y8UrnBLVn5Ax3BX0KjAhGDQLHiian0+ GT+Vuvm6/1kTZXfw++dAI9OD6BMJ/NZgTG9fyT4jXMZaUbFrUfU1DYarAUccmQsHp1ZE SbxSlVJH3odiMD6ZH5waB3bFueSKJKiY4ZBpOWzLoM7x0WEw3eb3K7o3A3id8EO0lEmK 9qXeaiDSG2VkhnRDmzzd/PPO5j6QyyVDx3wG3vWp7ulUDOlYmDfO3GnrkTDGAuCnHux3 ddRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736727369; x=1737332169; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=63xR1znCbRaNdE4XFeXJKexCVgDoT085NiV+j2rPHeA=; b=IgUQltFqTs8fbGzqsCqUB/FRf0W9abqT0z6vXFvSEaJOFCQxadRi6nGWogr0x1A7mj WZx+7TKNmiTw3K2Sm/4nTh3Rz67ND5o6/hyfPAz0SvOKc4O+b0QfHaylaJa5gHnQjZy0 RrwWDy09hhwfuDtaCJXb+ISwBlSvU0jipJUnqKY2BPBlZQALQQHa7Bkas6ebdpenV8IB RMVZ8Uk173kZVRseEjv/SERS7Eu5a6nqU4WVK/6fEeTLa8jjYPHywe1uQCwH5OJ40KlE vZ/npWdWQvUXfaL3mFVsINrkeAKwcUVctOzjrJERABYuacNfKF2Kriic+aE2Di7XMNji iHnQ== X-Forwarded-Encrypted: i=1; AJvYcCU9iwGgX36tLEu23NiIUPaiLFNUAKcRTsiGPqY2VmNczadKLZT4CdyKoi08cpIZfsHrUybtwLQsPicE0+E7@postgresql.org X-Gm-Message-State: AOJu0YwOjAFW+dosjDw5yOwcC3pO2V1Vo6NCj02sD7LBPIWMYeX4fuTY bAYJdwjxcChh29DJaCAM48YuF3ZNiuU2EdaYJmrdwP9E+Kghg9LeiMYJ4y1QpW3PdjecNKfb3Y0 P3D7GSHv1QTYhkw2LkYgHvN/S+yM= X-Gm-Gg: ASbGncusoEa+9oy1XhRNqpJTD8wSERbpdJAKkCYNohpv/RANTSNjbLdv4+XD8PexWCc yC8qvgLBA98l5UFmugx58W0eVgHtf53sDPtIshQ== X-Google-Smtp-Source: AGHT+IE/aCapC5kkdnsErzI0hfl2JwQosqF78DJ8/NBamCD1GGV1LSba/zI4p+TQNl/tH6kM2jYKPjBYs6rAmgJs60A= X-Received: by 2002:a17:90b:2e0d:b0:2ee:c2b5:97a0 with SMTP id 98e67ed59e1d1-2f548f44640mr27040303a91.25.1736727368899; Sun, 12 Jan 2025 16:16:08 -0800 (PST) MIME-Version: 1.0 References: <20250112222828.b36hpzm3ulfzlkws@hjp.at> <372571.1736722760@sss.pgh.pa.us> In-Reply-To: <372571.1736722760@sss.pgh.pa.us> From: Isaac Morland Date: Sun, 12 Jan 2025 19:15:57 -0500 X-Gm-Features: AbW1kvZ2s4XdCw6hMHFmzJ_ZJFODatVDvfUxtATA94kFIrE43vnWRI6uNHqiSrI Message-ID: Subject: Re: Automatic upgrade of passwords from md5 to scram-sha256 To: Tom Lane Cc: "Peter J. Holzer" , pgsql-general@postgresql.org Content-Type: multipart/alternative; boundary="000000000000e524d0062b8b59ee" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000e524d0062b8b59ee Content-Type: text/plain; charset="UTF-8" On Sun, 12 Jan 2025 at 17:59, Tom Lane wrote: > "Peter J. Holzer" writes: > > The web framework Django will automatically and transparently rehash any > > password with the currently preferred algorithm if it isn't stored that > > way already. > > Really? That implies that the framework has access to the original > cleartext password, which is a security fail already. It happens upon user login. If the user's password is hashed with an old algorithm, it is re-hashed during login when the Django application running on the Web server has the password sent by the user: https://docs.djangoproject.com/en/5.1/topics/auth/passwords/#password-upgrading But of course this only works if the old method in use involves sending the password to the server. --000000000000e524d0062b8b59ee Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sun, 12 Jan 2025 at 17:59, Tom Lane &l= t;tgl@sss.pgh.pa.us> wrote:
=
&qu= ot;Peter J. Holzer" <hjp-pgsql@hjp.at> writes:
> The web framework Django will automatically and transparently rehash a= ny
> password with the currently preferred algorithm if it isn't stored= that
> way already.

Really?=C2=A0 That implies that the framework has access to the original cleartext password, which is a security fail already.

=
It happens upon user login. If the user's password is hashed= with an old algorithm, it is re-hashed during login when the Django applic= ation running on the Web server has the password sent by the user:


But= of course this only works if the old method in use involves sending the pa= ssword to the server.
--000000000000e524d0062b8b59ee--