Обсуждение: passwordcheck module problem
Hi,
recently one of dba course students informed me about problem of passwordcheck module.
I cannot imagine that it is not a known issue, but if this is the known issue, then passwordcheck module loses all its functionality.
Problem is, when a user changes its password via \password (psql meta command) command, it can set any simple password successfuly.
Tested in versions 14,15,16. same behavior.
Postgres must check the password before converting to hash, it is clear that after hash it cannot detect the weakness.
postgres=# select version();
version
---------------------------------------------------------------------------------------------------------
PostgreSQL 15.5 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-20), 64-bit
(1 row)
postgres=# show shared_preload_libraries;
shared_preload_libraries
-------------------------------
$libdir/passwordcheck,pgaudit
(1 row)
postgres=# create user test1 with password '1';
ERROR: password is too short
postgres=#
postgres=# \set VERBOSITY verbose
postgres=#
postgres=# create user test1;
CREATE ROLE
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
postgres=#
postgres=# \set ECHO_HIDDEN on
postgres=#
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
********* QUERY **********
ALTER USER test1 PASSWORD 'SCRAM-SHA-256$4096:8HfuUKZq5sm8cYQzuk16mA==$8UM1aksC3gc9t5P+Hi1HXZw4FVsPU+JAa9ieL/UaDKA=:bv5P+tMlIsRC9hL5Da+tTF1O3+CBkOhxdmBrD5Di1A0='
**************************
version
---------------------------------------------------------------------------------------------------------
PostgreSQL 15.5 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-20), 64-bit
(1 row)
postgres=# show shared_preload_libraries;
shared_preload_libraries
-------------------------------
$libdir/passwordcheck,pgaudit
(1 row)
postgres=# create user test1 with password '1';
ERROR: password is too short
postgres=#
postgres=# \set VERBOSITY verbose
postgres=#
postgres=# create user test1;
CREATE ROLE
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
postgres=#
postgres=# \set ECHO_HIDDEN on
postgres=#
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
********* QUERY **********
ALTER USER test1 PASSWORD 'SCRAM-SHA-256$4096:8HfuUKZq5sm8cYQzuk16mA==$8UM1aksC3gc9t5P+Hi1HXZw4FVsPU+JAa9ieL/UaDKA=:bv5P+tMlIsRC9hL5Da+tTF1O3+CBkOhxdmBrD5Di1A0='
**************************
Regards
Zaur Hajili
Hi, First, please note that this mailing list is for reporting issues related to the web properties of PostgreSQL. For general discussion items, please use pgsql-general@ On 2/15/24 7:20 AM, Zaur Hajili wrote: > Hi, > > recently one of dba course students informed me about problem of > passwordcheck module. > > I cannot imagine that it is not a known issue, but if this is the known > issue, then passwordcheck module loses all its functionality. > > Problem is, when a user changes its password via*\password *(psql meta > command) command, it can set any simple password successfuly. > > Tested in versions 14,15,16. same behavior. You're seeing the SCRAM hash, which is due to switch to using SCRAM as the default hashing method from PostgreSQL 14+. Prior to that, it was md5, which would still generate a md5 hash using \password. > Postgres must check the password before converting to hash, it is clear > that after hash it cannot detect the weakness. This can get into a long debate about the value of checking the strength of a plaintext password by enforced requirements. However, with a hash, you can still check if the hashed password is in a common dictionary of passwords with the tradeoff that this computation can take some time depending on how large the dictionary is. Thanks, Jonathan
Вложения
On Thu, 2024-02-15 at 16:20 +0400, Zaur Hajili wrote: > recently one of dba course students informed me about problem of passwordcheck module. > > I cannot imagine that it is not a known issue, but if this is the known issue, > then passwordcheck module loses all its functionality. > > Problem is, when a user changes its password via \password (psql meta command) > command, it can set any simple password successfuly. > > Tested in versions 14,15,16. same behavior. > > Postgres must check the password before converting to hash, it is clear that after > hash it cannot detect the weakness. That is clearly off-topic for the WWW list. The limitation is well known, see the "Caution" in the documentation of the module or the discussion that led to the module: https://www.postgresql.org/message-id/flat/D960CB61B694CF459DCFB4B0128514C203937F49%40exadv11.host.magwien.gv.at It is catch 22: the only entity that sees the clear text password and can check it is the client, and the server cannot trust the client. Yours, Laurenz Albe