Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 20446a4

Browse files
peterepetere
committed
doc: Update mentions of MD5 in the documentation
Reported-by: Shay Rojansky <roji@roji.org>
1 parent 1be6752 commit 20446a4

File tree

1 file changed

+9
-25
lines changed

1 file changed

+9
-25
lines changed

doc/src/sgml/runtime.sgml

Lines changed: 9 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -2024,16 +2024,18 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
20242024
<variablelist>
20252025

20262026
<varlistentry>
2027-
<term>Password Storage Encryption</term>
2027+
<term>Password Encryption</term>
20282028
<listitem>
20292029

20302030
<para>
2031-
By default, database user passwords are stored as MD5 hashes, so
2032-
the administrator cannot determine the actual password assigned
2033-
to the user. If MD5 encryption is used for client authentication,
2034-
the unencrypted password is never even temporarily present on the
2035-
server because the client MD5-encrypts it before being sent
2036-
across the network.
2031+
Database user passwords are stored as hashes (determined by the setting
2032+
<xref linkend="guc-password-encryption">), so the administrator cannot
2033+
determine the actual password assigned to the user. If SCRAM or MD5
2034+
encryption is used for client authentication, the unencrypted password is
2035+
never even temporarily present on the server because the client encrypts
2036+
it before being sent across the network. SCRAM is preferred, because it
2037+
is an Internet standard and is more secure than the PostgreSQL-specific
2038+
MD5 authentication protocol.
20372039
</para>
20382040
</listitem>
20392041
</varlistentry>
@@ -2087,24 +2089,6 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
20872089
</listitem>
20882090
</varlistentry>
20892091

2090-
<varlistentry>
2091-
<term>Encrypting Passwords Across A Network</term>
2092-
2093-
<listitem>
2094-
<para>
2095-
The <literal>MD5</> authentication method double-encrypts the
2096-
password on the client before sending it to the server. It first
2097-
MD5-encrypts it based on the user name, and then encrypts it
2098-
based on a random salt sent by the server when the database
2099-
connection was made. It is this double-encrypted value that is
2100-
sent over the network to the server. Double-encryption not only
2101-
prevents the password from being discovered, it also prevents
2102-
another connection from using the same encrypted password to
2103-
connect to the database server at a later time.
2104-
</para>
2105-
</listitem>
2106-
</varlistentry>
2107-
21082092
<varlistentry>
21092093
<term>Encrypting Data Across A Network</term>
21102094

0 commit comments

Comments
 (0)