Postgres Pro
Downloads
Home   >   mailing lists

Thread: Changing passwords from client application

Changing passwords from client application

From
Tomasz Ostrowski
Date:
I need to implement an option to change passwords in my application,
which authenticates using MD5. This application however operates over
unencrypted link, so it'll be a little bit of a challege.

I've came up with several possible implementations.

--------------------------------------------------------

Implementation I

1. A user selects "change password" option.

2. Ask a user for a old password, new password, new password
confirmation.

3. Connect to a database (this would be a second connection) using
provided old password.

4. Invoke
    "select change_password(new_password_hash)"
where
    new_password_hash=PQencryptPassword(new_password, username)
and change_password(text) is a volatile, security definer, owned by
superuser, which will just do
        alter role session_user encrypted password $1;

This has two drawbacks:

- it needs another connection to a database, so I could not limit
  concurrent connections for a user to 1;

- it will be possible to use for example a left open psql session to
  change password of logged in user without knowledge of previous
  password.

--------------------------------------------------------

Implementation II

1. and 2. the same.

3. Invoke
    "select change_password(old_password_hash, new_password_hash)"
where
    new_password_hash=PQencryptPassword(new_password, username)
    old_password_hash=PQencryptPassword(old_password, username)
Again change_password(text) is a volatile, security definer, owned by
superuser function, which checks if
    pg_authid.rolpassword=$1 where rolname=session_user
and then
    alter role session_user encrypted password $2;

This time there is another problem - if anybody will sniff on this
connection during password changing then he will be able to use this
new_password_hash to change password if he had a left open psql
session.

--------------------------------------------------------

So do you have an idea how to securely change logged in user password
over an unencrypted link?

Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
                                                      Winnie the Pooh

Re: Changing passwords from client application

From
Tomasz Ostrowski
Date:
On Tue, 19 Dec 2006, Tomasz Ostrowski wrote:

> - it will be possible to use for example a left open psql session to
>   change password of logged in user without knowledge of previous
>   password.

Forget it - I just found on
http://www.postgresql.org/docs/8.2/static/sql-alterrole.html
"Ordinary roles can only change their own password."

I thought I tried to do this and failed so I assumed otherwise. but I
had to make an error testing.

Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
                                                      Winnie the Pooh