Stephen Frost <sfrost@snowman.net> writes:
> * raf@raf.org (raf@raf.org) wrote:
>> I don't think there's anything wrong with prefixing a
>> password hash with an identifier for the password
>> hashing scheme (and any parameters for that scheme).
>> This is done all the time in many systems. It just has
>> to be unambiguoous.
> There isn't a way to make it unambiguous given that we accept
> more-or-less anything as a plaintext password though, that would be the
> issue here..
In practice, particularly with the extra validation we just added,
it seems vanishingly unlikely that anyone would choose a password
that just happened to look like one of the hashed formats.
If somebody intentionally chooses such a password, well, it's on
their heads whether the outcome is what they want.
regards, tom lane
