Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-www-owner+archive@lists.postgresql.org>)
	id 1raajF-00AVX2-4U
	for pgsql-www@arkaria.postgresql.org; Thu, 15 Feb 2024 12:20:37 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-www-owner+archive@lists.postgresql.org>)
	id 1raajD-00D8oj-MA
	for pgsql-www@arkaria.postgresql.org; Thu, 15 Feb 2024 12:20:35 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <zaurhajili@gmail.com>)
	id 1raajD-00D8oY-31
	for pgsql-www@lists.postgresql.org; Thu, 15 Feb 2024 12:20:35 +0000
Received: from mail-yw1-x1134.google.com ([2607:f8b0:4864:20::1134])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <zaurhajili@gmail.com>)
	id 1raajA-006sRr-9q
	for pgsql-www@postgresql.org; Thu, 15 Feb 2024 12:20:33 +0000
Received: by mail-yw1-x1134.google.com with SMTP id
 00721157ae682-607d8506099so4128147b3.0
        for <pgsql-www@postgresql.org>; Thu, 15 Feb 2024 04:20:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1707999630; x=1708604430;
 darn=postgresql.org;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=XPqXowvld/aktZqbzZx5LG7pk4pf2FgQ6ZMng8xTv6I=;
        b=I7raHCkchSMyP+CoKaNGOVzD0b00f38D+VUCss/J5+BI+2KnTVw8bt8LgcgJMqObSo
         qhHFtL1FzammEEoEm9qbCqtqv97y+6Y9Ztc3lMZus21uTZX7fAgXjFZySPjKEDbgbFfj
         k2UvpHDIF7rUg7bpYL1+u29tFuOp4pDz/TKHPbfzMkEz431yjbJkVJ5IYOLP6wbDIiTE
         8PzbvZXja96BmKMBZEFK7Nmxrbgq57UXtCmGJ4uoAtxNgyKFDWVl4yOBKZkCkhVVwRsi
         OJRQ4GbbmW+iMEctuEktXEGapeDmXtlLYD5pkIU59u/D4NyeZGI3n+76TiwiWtxskhxv
         B/Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1707999630; x=1708604430;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=XPqXowvld/aktZqbzZx5LG7pk4pf2FgQ6ZMng8xTv6I=;
        b=TP+eP38u0LdPQhBtpdl0ks60P7szHwFEkPOdEvruj/K5pHnR3fqRCHMY9hn1jbLZEm
         eepaT6l2NEqHOrBtj0t8FET03jXTIlK7RTHViWRgI4kt6FLT3w8JN7BpuK9VwSRGiegt
         9vzKjtO7OmsgGKR8EBDP24jN9c7W26ezfWBYAetmwTGH8+EklrgycPp5SeImpoNd06Hs
         3IdAHwsjSOjCvRPayeJmI6BS1tiFbFJ0UVPSg7g+g06is9eVhWTp9CjYP6Pae5RpZFim
         aq17iSaY8Y3bAho3RC1Wi60IIO6ElxitgNBeiFEFdV0Mfp74FNBAIKb8wHywsN2d8RHB
         JLxA==
X-Gm-Message-State: AOJu0YzpKKfhKPHCBRwHSCmdduMo7pOI2DispIdV1sIzR4c7ZCG5lZes
	Zyw62Uq8Qn4j0mHEdfX+Eej2cWHNZm11l6m/Yy3+kwtsMdoGkcJEdiU8PHMoZNQzUDmOLD22S37
	wbI/CS+8i2ivzoHYyrE21MI3SuAIxKtK5bOoq5A==
X-Google-Smtp-Source: 
 AGHT+IH4avuVVwTJzGHw73JWpxt5OsdxtbUDbFLsSntSik8ca8h/Bckjc8RAhtovsn0rTumVvSyVWYuwg1IE2JZ0XJ0=
X-Received: by 2002:a81:5758:0:b0:604:9b58:9d2 with SMTP id
 l85-20020a815758000000b006049b5809d2mr1515838ywb.34.1707999630494; Thu, 15
 Feb 2024 04:20:30 -0800 (PST)
MIME-Version: 1.0
From: Zaur Hajili <zaurhajili@gmail.com>
Date: Thu, 15 Feb 2024 16:20:17 +0400
Message-ID: 
 <CAFS9i-zYnEF3GZPZV+bDr_-2q394vG2VX9Vt3b8DYkSu+O8gEA@mail.gmail.com>
Subject: passwordcheck module problem
To: pgsql-www@postgresql.org
Cc: nigarsalman7@gmail.com
Content-Type: multipart/alternative; boundary="00000000000040913206116aa79f"
List-Id: <pgsql-www.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-www@lists.postgresql.org>
List-Owner: <mailto:pgsql-www-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-www>
Archived-At: 
 <https://www.postgresql.org/message-id/CAFS9i-zYnEF3GZPZV%2BbDr_-2q394vG2VX9Vt3b8DYkSu%2BO8gEA%40mail.gmail.com>
Precedence: bulk

--00000000000040913206116aa79f
Content-Type: text/plain; charset="UTF-8"

Hi,

recently one of dba course students informed me about problem of
passwordcheck module.

I cannot imagine that it is not a known issue, but if this is the known
issue, then passwordcheck module loses all its functionality.

Problem is, when a user changes its password via* \password *(psql meta
command) command, it can set any simple password successfuly.

Tested in versions 14,15,16. same behavior.

Postgres must check the password before converting to hash, it is clear
that after hash it cannot detect the weakness.

postgres=# select version();
                                                 version

---------------------------------------------------------------------------------------------------------
 PostgreSQL 15.5 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0
20210514 (Red Hat 8.5.0-20), 64-bit
(1 row)

postgres=# show shared_preload_libraries;
   shared_preload_libraries
-------------------------------
 $libdir/passwordcheck,pgaudit
(1 row)

postgres=# create user test1 with password '1';
ERROR:  password is too short
postgres=#
postgres=# \set VERBOSITY verbose
postgres=#
postgres=# create user test1;
CREATE ROLE
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
postgres=#
postgres=# \set ECHO_HIDDEN on
postgres=#
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
********* QUERY **********
ALTER USER test1 PASSWORD
'SCRAM-SHA-256$4096:8HfuUKZq5sm8cYQzuk16mA==$8UM1aksC3gc9t5P+Hi1HXZw4FVsPU+JAa9ieL/UaDKA=:bv5P+tMlIsRC9hL5Da+tTF1O3+CBkOhxdmBrD5Di1A0='
**************************


-- 
Regards
Zaur Hajili

--00000000000040913206116aa79f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-size:small"><fo=
nt face=3D"arial, sans-serif">Hi,</font></div><div class=3D"gmail_default" =
style=3D"font-size:small"><font face=3D"arial, sans-serif"><br></font></div=
><div class=3D"gmail_default" style=3D"font-size:small"><font face=3D"arial=
, sans-serif">recently one of dba=C2=A0course students informed me about pr=
oblem of passwordcheck module.</font></div><div class=3D"gmail_default" sty=
le=3D"font-size:small"><font face=3D"arial, sans-serif"><br></font></div><d=
iv class=3D"gmail_default" style=3D"font-size:small"><font face=3D"arial, s=
ans-serif">I cannot imagine that it is not a known issue, but if this is th=
e known issue, then passwordcheck module loses=C2=A0all its functionality.<=
/font></div><div class=3D"gmail_default" style=3D"font-size:small"><font fa=
ce=3D"arial, sans-serif"><br></font></div><div class=3D"gmail_default" styl=
e=3D"font-size:small"><font face=3D"arial, sans-serif">Problem is, when a u=
ser changes its password via<b> \password </b>(psql meta command) command, =
it can set any simple password successfuly.</font></div><div class=3D"gmail=
_default" style=3D"font-size:small"><font face=3D"arial, sans-serif"><br></=
font></div><div class=3D"gmail_default" style=3D"font-size:small"><font fac=
e=3D"arial, sans-serif">Tested in versions 14,15,16. same behavior.</font><=
/div><div class=3D"gmail_default" style=3D"font-size:small"><font face=3D"a=
rial, sans-serif"><br></font></div><div class=3D"gmail_default" style=3D"fo=
nt-size:small"><font face=3D"arial, sans-serif">Postgres must check the pas=
sword before converting to hash, it is clear that after hash it cannot dete=
ct the weakness.</font></div><div class=3D"gmail_default" style=3D"font-fam=
ily:monospace,monospace;font-size:small">=C2=A0</div><div class=3D"gmail_de=
fault" style=3D"font-size:small"><font face=3D"monospace">postgres=3D# sele=
ct version();<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0version =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <=
br>------------------------------------------------------------------------=
---------------------------------<br>=C2=A0PostgreSQL 15.5 on x86_64-pc-lin=
ux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-20), 64-bit<br>=
(1 row)<br><br>postgres=3D# show shared_preload_libraries;<br>=C2=A0 =C2=A0=
shared_preload_libraries =C2=A0 =C2=A0<br>-------------------------------<b=
r>=C2=A0$libdir/passwordcheck,pgaudit<br>(1 row)<br><br>postgres=3D# create=
 user test1 with password &#39;1&#39;;<br>ERROR: =C2=A0password is too shor=
t<br>postgres=3D# <br>postgres=3D# \set VERBOSITY verbose <br>postgres=3D# =
<br>postgres=3D# create user test1;<br>CREATE ROLE<br>postgres=3D# <br>post=
gres=3D# \password test1<br>Enter new password for user &quot;test1&quot;: =
<br>Enter it again: <br>postgres=3D# <br>postgres=3D# \set ECHO_HIDDEN on<b=
r>postgres=3D# <br>postgres=3D# <br>postgres=3D# \password test1<br>Enter n=
ew password for user &quot;test1&quot;: <br>Enter it again: <br>********* Q=
UERY **********<br>ALTER USER test1 PASSWORD &#39;SCRAM-SHA-256$4096:8HfuUK=
Zq5sm8cYQzuk16mA=3D=3D$8UM1aksC3gc9t5P+Hi1HXZw4FVsPU+JAa9ieL/UaDKA=3D:bv5P+=
tMlIsRC9hL5Da+tTF1O3+CBkOhxdmBrD5Di1A0=3D&#39;<br>*************************=
*</font><br></div><div class=3D"gmail_default" style=3D"font-family:monospa=
ce,monospace;font-size:small"><br></div><div><br></div><span class=3D"gmail=
_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature"=
 data-smartmail=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr">=
<div dir=3D"ltr"><font face=3D"monospace, monospace">Regards</font><div><fo=
nt face=3D"monospace, monospace">Zaur Hajili</font></div><div><br></div></d=
iv></div></div></div></div></div>

--00000000000040913206116aa79f--