| From: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Peter J(dot) Holzer" <hjp-pgsql(at)hjp(dot)at>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Automatic upgrade of passwords from md5 to scram-sha256 |
| Date: | 2025-01-13 00:15:57 |
| Message-ID: | CAMsGm5coc93kLUHN81BzYz7j1stBW3BJkgnrcw+GGKxf4ZjUfA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sun, 12 Jan 2025 at 17:59, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Peter J. Holzer" <hjp-pgsql(at)hjp(dot)at> writes:
> > The web framework Django will automatically and transparently rehash any
> > password with the currently preferred algorithm if it isn't stored that
> > way already.
>
> Really? That implies that the framework has access to the original
> cleartext password, which is a security fail already.
It happens upon user login. If the user's password is hashed with an old
algorithm, it is re-hashed during login when the Django application running
on the Web server has the password sent by the user:
https://docs.djangoproject.com/en/5.1/topics/auth/passwords/#password-upgrading
But of course this only works if the old method in use involves sending the
password to the server.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter J. Holzer | 2025-01-13 00:17:20 | Re: Automatic upgrade of passwords from md5 to scram-sha256 |
| Previous Message | Bruce Momjian | 2025-01-12 23:37:29 | Re: Automatic upgrade of passwords from md5 to scram-sha256 |