On Mon, Jan 13, 2025 at 3:41 PM Peter J. Holzer wrote:
> On 2025-01-13 12:19:06 -0500, Ron Johnson wrote:
> > On Sun, Jan 12, 2025 at 5:59 PM Tom Lane wrote:
> > [snip]
> >
> > I think this idea is a nonstarter, TLS or not. We're generally
> moving
> > in the direction of never letting
On 2025-01-13 12:19:06 -0500, Ron Johnson wrote:
> On Sun, Jan 12, 2025 at 5:59 PM Tom Lane wrote:
> [snip]
>
> I think this idea is a nonstarter, TLS or not. We're generally moving
> in the direction of never letting the server see cleartext passwords.
> It's already possible to co
On Sun, Jan 12, 2025 at 5:59 PM Tom Lane wrote:
[snip]
> I think this idea is a nonstarter, TLS or not. We're generally moving
> in the direction of never letting the server see cleartext passwords.
> It's already possible to configure libpq to refuse such requests
> (see require_auth parameter
On 1/12/25 17:59, Tom Lane wrote:
"Peter J. Holzer" writes:
The web framework Django will automatically and transparently rehash any
password with the currently preferred algorithm if it isn't stored that
way already.
Really? That implies that the framework has access to the original
clearte
On 2025-01-12 17:59:20 -0500, Tom Lane wrote:
> "Peter J. Holzer" writes:
> > The web framework Django will automatically and transparently rehash any
> > password with the currently preferred algorithm if it isn't stored that
> > way already.
>
> Really? That implies that the framework has acce
On Sun, 12 Jan 2025 at 17:59, Tom Lane wrote:
> "Peter J. Holzer" writes:
> > The web framework Django will automatically and transparently rehash any
> > password with the currently preferred algorithm if it isn't stored that
> > way already.
>
> Really? That implies that the framework has acc
On Sun, Jan 12, 2025 at 05:59:20PM -0500, Tom Lane wrote:
> > If the password for the user is stored as an MD5 hash, the server
> > replies to the startup message with an AuthenticationCleartextPassword
> > respnse to force the client to send the password in the clear
> > (obviously you only want t
"Peter J. Holzer" writes:
> The web framework Django will automatically and transparently rehash any
> password with the currently preferred algorithm if it isn't stored that
> way already.
Really? That implies that the framework has access to the original
cleartext password, which is a security
I have a PostgreSQL instance where the majority of the passwords is
still stored as MD5 hashes. I'm not particularly worried because they
are all randomly generated and should be reasonably secure against brute
force attacks even with a weak hash, and they're not that valuable
anyway, but it would
