public inbox for [email protected]
help / color / mirror / Atom feedFrom: Alvaro Herrera <[email protected]>
To: Japin Li <[email protected]>
Cc: Bernd Helmle <[email protected]>
Cc: PostgreSQL Development <[email protected]>
Subject: Re: Modern SHA2- based password hashes for pgcrypto
Date: Fri, 7 Feb 2025 10:31:44 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <ME0P300MB0445B934B42B8A2803F46309B6F12@ME0P300MB0445.AUSP300.PROD.OUTLOOK.COM>
On 2025-Feb-07, Japin Li wrote:
> Since there is no standard, how do we handle this? I prefer to use
> the strict mode like passlib.
I definitely like that passlib have documented their thought process
thoroughly.
I think using their strict mode is good on principle, but if we're going
to do that, then the salt string should not be used verbatim, but
instead base64-decoded first to get the actual salt bytes, like they do.
Does this break compabitibility with other systems? Are
passlib-generated password hashes incompatible with, say, "openssl
passwd" which you (Bernd) mentioned at the beginning of the thread?
Maybe if the password hashes are no longer compatible, then we should
ditch the idea of restricting salts to base64 chars and accept the whole
range of bytes, like Drepper.
But in any case ISTM we should reject, as they suggest, the use of less
than 4 bytes of salt (and should perhaps settle for a default of 16, as
passlib suggests). I suppose this is why passlib returns NULL with
empty salt. What we should do in that case IMO is ereport(ERROR).
--
Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/
"Porque Kim no hacía nada, pero, eso sí,
con extraordinario éxito" ("Kim", Kipling)
view thread (5+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Modern SHA2- based password hashes for pgcrypto
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox