- Password Storage Encryption
+ Password Encryption
- By default, database user passwords are stored as MD5 hashes, so
- the administrator cannot determine the actual password assigned
- to the user. If MD5 encryption is used for client authentication,
- the unencrypted password is never even temporarily present on the
- server because the client MD5-encrypts it before being sent
- across the network.
+ Database user passwords are stored as hashes (determined by the setting
+ ), so the administrator cannot
+ determine the actual password assigned to the user. If SCRAM or MD5
+ encryption is used for client authentication, the unencrypted password is
+ never even temporarily present on the server because the client encrypts
+ it before being sent across the network. SCRAM is preferred, because it
+ is an Internet standard and is more secure than the PostgreSQL-specific
+ MD5 authentication protocol.
-
- Encrypting Passwords Across A Network
-
-
- The MD5 authentication method double-encrypts the
- password on the client before sending it to the server. It first
- MD5-encrypts it based on the user name, and then encrypts it
- based on a random salt sent by the server when the database
- connection was made. It is this double-encrypted value that is
- sent over the network to the server. Double-encryption not only
- prevents the password from being discovered, it also prevents
- another connection from using the same encrypted password to
- connect to the database server at a later time.
-
-
-
-
Encrypting Data Across A Network
projects / postgresql.git / commitdiff