password storage docs

Started by Richard Hectorover 7 years ago2 messagesdocs

Jump to latest

Richard Hector

richard@walnut.gen.nz

over 7 years ago

Hi,

Sending this as requested by xocolatl on #postgresql (irc).

On discovering that (md5) password hashes are stored in postgres in a
manner similar to this:

'md5' || md5('the most secret password' || 'username')

i.e. without the use of a random salt, it was suggested I should look
into the scram alternative.

I can't find information about the storage format for that at all -
other than "... and supports storing passwords on the server in a
cryptographically hashed form that is thought to be secure."

It would be nice to see more information on this.

Thanks,

Richard

Michael Paquier

michael@paquier.xyz

over 7 years ago

In reply to: Richard Hector (#1)

Re: password storage docs

On Mon, Aug 20, 2018 at 01:35:56PM +1200, Richard Hector wrote:

I can't find information about the storage format for that at all -
other than "... and supports storing passwords on the server in a
cryptographically hashed form that is thought to be secure."

It would be nice to see more information on this.

The SCRAM verifiers stored conform to RFC 5803:
https://tools.ietf.org/html/rfc5803.
This is mentioned in the comments of auth-scram.c. Do you think that
mentioning that in this paragraph of this doc would be useful? We could
for example append "as defined in RFC 5803" in the last sentence.
--
Michael