Re: passwordcheck module problem

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Jonathan S. Katz <[email protected]>
To: Zaur Hajili <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: passwordcheck module problem
Date: Thu, 15 Feb 2024 07:45:31 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAFS9i-zYnEF3GZPZV+bDr_-2q394vG2VX9Vt3b8DYkSu+O8gEA@mail.gmail.com>
References: <CAFS9i-zYnEF3GZPZV+bDr_-2q394vG2VX9Vt3b8DYkSu+O8gEA@mail.gmail.com>

Hi,

First, please note that this mailing list is for reporting issues 
related to the web properties of PostgreSQL. For general discussion 
items, please use pgsql-general@

On 2/15/24 7:20 AM, Zaur Hajili wrote:
> Hi,
> 
> recently one of dba course students informed me about problem of 
> passwordcheck module.
> 
> I cannot imagine that it is not a known issue, but if this is the known 
> issue, then passwordcheck module loses all its functionality.
> 
> Problem is, when a user changes its password via*\password *(psql meta 
> command) command, it can set any simple password successfuly.
> 
> Tested in versions 14,15,16. same behavior.

You're seeing the SCRAM hash, which is due to switch to using SCRAM as 
the default hashing method from PostgreSQL 14+. Prior to that, it was 
md5, which would still generate a md5 hash using \password.

> Postgres must check the password before converting to hash, it is clear 
> that after hash it cannot detect the weakness.

This can get into a long debate about the value of checking the strength 
of a plaintext password by enforced requirements. However, with a hash, 
you can still check if the hashed password is in a common dictionary of 
passwords with the tradeoff that this computation can take some time 
depending on how large the dictionary is.

Thanks,

Jonathan

Attachments:

  [application/pgp-signature] OpenPGP_signature.asc (840B, 2-OpenPGP_signature.asc)
  download

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: passwordcheck module problem
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox