Home > mailing lists

Re: Automatic upgrade of passwords from md5 to scram-sha256 - Mailing list pgsql-general

From	Isaac Morland
Subject	Re: Automatic upgrade of passwords from md5 to scram-sha256
Date	January 13 03:15:57
Msg-id	CAMsGm5coc93kLUHN81BzYz7j1stBW3BJkgnrcw+GGKxf4ZjUfA@mail.gmail.com Whole thread Raw
In response to	Re: Automatic upgrade of passwords from md5 to scram-sha256 (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-general

Tree view

On Sun, 12 Jan 2025 at 17:59, Tom Lane <tgl@sss.pgh.pa.us> wrote:

"Peter J. Holzer" <hjp-pgsql@hjp.at> writes:
> The web framework Django will automatically and transparently rehash any
> password with the currently preferred algorithm if it isn't stored that
> way already.

Really? That implies that the framework has access to the original
cleartext password, which is a security fail already.

It happens upon user login. If the user's password is hashed with an old algorithm, it is re-hashed during login when the Django application running on the Web server has the password sent by the user:

https://docs.djangoproject.com/en/5.1/topics/auth/passwords/#password-upgrading

But of course this only works if the old method in use involves sending the password to the server.

pgsql-general by date:

From: Bruce Momjian
Date: 13 January, 02:37:29
Subject: Re: Automatic upgrade of passwords from md5 to scram-sha256

From: Torsten Krah
Date: 13 January, 12:34:46
Subject: Re: could not open file "base/XX/XX": Interrupted system call

Re: Automatic upgrade of passwords from md5 to scram-sha256 - Mailing list pgsql-general

Previous

Next