Re: passwordcheck module problem
| От | Jonathan S. Katz |
|---|---|
| Тема | Re: passwordcheck module problem |
| Дата | |
| Msg-id | b3c48e1e-4f82-4131-b7de-af1896c32dd8@postgresql.org обсуждение исходный текст |
| Ответ на | passwordcheck module problem (Zaur Hajili <zaurhajili@gmail.com>) |
| Список | pgsql-www |
Hi, First, please note that this mailing list is for reporting issues related to the web properties of PostgreSQL. For general discussion items, please use pgsql-general@ On 2/15/24 7:20 AM, Zaur Hajili wrote: > Hi, > > recently one of dba course students informed me about problem of > passwordcheck module. > > I cannot imagine that it is not a known issue, but if this is the known > issue, then passwordcheck module loses all its functionality. > > Problem is, when a user changes its password via*\password *(psql meta > command) command, it can set any simple password successfuly. > > Tested in versions 14,15,16. same behavior. You're seeing the SCRAM hash, which is due to switch to using SCRAM as the default hashing method from PostgreSQL 14+. Prior to that, it was md5, which would still generate a md5 hash using \password. > Postgres must check the password before converting to hash, it is clear > that after hash it cannot detect the weakness. This can get into a long debate about the value of checking the strength of a plaintext password by enforced requirements. However, with a hash, you can still check if the hashed password is in a common dictionary of passwords with the tradeoff that this computation can take some time depending on how large the dictionary is. Thanks, Jonathan
Вложения
В списке pgsql-www по дате отправления: