passwordcheck module problem

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Zaur Hajili <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: passwordcheck module problem
Date: Thu, 15 Feb 2024 16:20:17 +0400
Message-ID: <CAFS9i-zYnEF3GZPZV+bDr_-2q394vG2VX9Vt3b8DYkSu+O8gEA@mail.gmail.com> (raw)

Hi,

recently one of dba course students informed me about problem of
passwordcheck module.

I cannot imagine that it is not a known issue, but if this is the known
issue, then passwordcheck module loses all its functionality.

Problem is, when a user changes its password via* \password *(psql meta
command) command, it can set any simple password successfuly.

Tested in versions 14,15,16. same behavior.

Postgres must check the password before converting to hash, it is clear
that after hash it cannot detect the weakness.

postgres=# select version();
                                                 version

---------------------------------------------------------------------------------------------------------
 PostgreSQL 15.5 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0
20210514 (Red Hat 8.5.0-20), 64-bit
(1 row)

postgres=# show shared_preload_libraries;
   shared_preload_libraries
-------------------------------
 $libdir/passwordcheck,pgaudit
(1 row)

postgres=# create user test1 with password '1';
ERROR:  password is too short
postgres=#
postgres=# \set VERBOSITY verbose
postgres=#
postgres=# create user test1;
CREATE ROLE
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
postgres=#
postgres=# \set ECHO_HIDDEN on
postgres=#
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
********* QUERY **********
ALTER USER test1 PASSWORD
'SCRAM-SHA-256$4096:8HfuUKZq5sm8cYQzuk16mA==$8UM1aksC3gc9t5P+Hi1HXZw4FVsPU+JAa9ieL/UaDKA=:bv5P+tMlIsRC9hL5Da+tTF1O3+CBkOhxdmBrD5Di1A0='
**************************


-- 
Regards
Zaur Hajili

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: passwordcheck module problem
  In-Reply-To: <CAFS9i-zYnEF3GZPZV+bDr_-2q394vG2VX9Vt3b8DYkSu+O8gEA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox