mirror of
https://github.com/postgres/postgres.git
synced 2026-01-05 23:38:41 +03:00
db6a4a985b
MD5 has been considered to be unsuitable for use as a cryptographic hash algorithm for some time. Furthermore, MD5 password hashes in PostgreSQL are vulnerable to pass-the-hash attacks, i.e., knowing the username and hashed password is sufficient to authenticate. The SCRAM-SHA-256 method added in v10 is not subject to these problems and is considered to be superior to MD5. This commit marks MD5 password support in PostgreSQL as deprecated and to be removed in a future release. The documentation now contains several deprecation notices, and CREATE ROLE and ALTER ROLE now emit deprecation warnings when setting MD5 passwords. The warnings can be disabled by setting the md5_password_warnings parameter to "off". Reviewed-by: Greg Sabino Mullane, Jim Nasby Discussion: https://postgr.es/m/ZwbfpJJol7lDWajL%40nathan
21 lines
927 B
Plaintext
21 lines
927 B
Plaintext
SET md5_password_warnings = off;
|
|
LOAD 'passwordcheck';
|
|
CREATE USER regress_passwordcheck_user1;
|
|
-- ok
|
|
ALTER USER regress_passwordcheck_user1 PASSWORD 'a_nice_long_password';
|
|
-- error: too short
|
|
ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshrt';
|
|
ERROR: password is too short
|
|
-- error: contains user name
|
|
ALTER USER regress_passwordcheck_user1 PASSWORD 'xyzregress_passwordcheck_user1';
|
|
ERROR: password must not contain user name
|
|
-- error: contains only letters
|
|
ALTER USER regress_passwordcheck_user1 PASSWORD 'alessnicelongpassword';
|
|
ERROR: password must contain both letters and nonletters
|
|
-- encrypted ok (password is "secret")
|
|
ALTER USER regress_passwordcheck_user1 PASSWORD 'md592350e12ac34e52dd598f90893bb3ae7';
|
|
-- error: password is user name
|
|
ALTER USER regress_passwordcheck_user1 PASSWORD 'md507a112732ed9f2087fa90b192d44e358';
|
|
ERROR: password must not equal user name
|
|
DROP USER regress_passwordcheck_user1;
|