| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | mudit0201(at)gmail(dot)com |
| Cc: | pgsql-docs(at)postgresql(dot)org |
| Subject: | Re: Password encryption |
| Date: | 2017-06-29 22:38:24 |
| Message-ID: | CAB7nPqStc7BMNaQU52yAOC-b1nhCt_S0mhExF3CvyBALNq509Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
Hi,
On Thu, Jun 29, 2017 at 9:23 PM, <mudit0201(at)gmail(dot)com> wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/9.1/static/libpq-pgpass.html
> Description:
>
> Can we keep encrypted password in .pgpass file or is there any way to
> provide encrypted password to connect to postgres or can we pass password to
> psql command as an argument?
This question would be more adapted to pgsql-general, as this is not a
documentation bug.
The password present in the password file needs to be in plain format.
When using a SSL connection, the handshake happens before the actual
password authentication, so the data related to the password exchanged
would be encrypted, and in the case of MD5 what is actually sent to a
server is already a MD5 hash of it that the server compares with a
salt applied on it.
A user knowing only the MD5 hash, and not the plain password would
still be able to connect, so you really had better use SSL anyway if
connecting with an untrusted network. Postgres 10 comes up with
SCRAM-SHA-256 by the way, which is stronger by design for such things.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Noah Misch | 2017-06-30 03:45:04 | Re: gen_random_uuid security not explicit in documentation |
| Previous Message | deinspanjer | 2017-06-29 14:25:11 | Row Level Security Policies documentation doesn't mention lack of support for views |