aboutsummaryrefslogtreecommitdiff
path: root/doc/src
diff options
context:
space:
mode:
authorÁlvaro Herrera <alvherre@alvh.no-ip.org>2025-04-05 19:16:58 +0200
committerÁlvaro Herrera <alvherre@alvh.no-ip.org>2025-04-05 19:17:13 +0200
commit749a9e20c9790006f3af47f7a8faf4ad8dc358d9 (patch)
treef06c2be00fe91ac6edead896d7981b8b4c76b11e /doc/src
parente33f2335a9d9754ccf3bf7181085cfa581ee03c3 (diff)
downloadpostgresql-749a9e20c9790006f3af47f7a8faf4ad8dc358d9.tar.gz
postgresql-749a9e20c9790006f3af47f7a8faf4ad8dc358d9.zip
Add modern SHA-2 based password hashes to pgcrypto.
This adapts the publicly available reference implementation on https://www.akkadia.org/drepper/SHA-crypt.txt and adds the new hash algorithms sha256crypt and sha512crypt to crypt() and gen_salt() respectively. Author: Bernd Helmle <mailings@oopsware.de> Reviewed-by: Japin Li <japinli@hotmail.com> Discussion: https://postgr.es/m/c763235a2757e2f5f9e3e27268b9028349cef659.camel@oopsware.de
Diffstat (limited to 'doc/src')
-rw-r--r--doc/src/sgml/pgcrypto.sgml41
1 files changed, 40 insertions, 1 deletions
diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml
index f87668dfaed..b567b5c16e8 100644
--- a/doc/src/sgml/pgcrypto.sgml
+++ b/doc/src/sgml/pgcrypto.sgml
@@ -189,6 +189,29 @@ hmac(data bytea, key bytea, type text) returns bytea
<entry>13</entry>
<entry>Original UNIX crypt</entry>
</row>
+ <row>
+ <entry><literal>sha256crypt</literal></entry>
+ <entry>unlimited</entry>
+ <entry>yes</entry>
+ <entry>up to 32</entry>
+ <entry>80</entry>
+ <entry>Adapted from publicly available reference implementation
+ <ulink url="https://www.akkadia.org/drepper/SHA-crypt.txt">Unix crypt using SHA-256 and SHA-512
+ </ulink>
+ </entry>
+ </row>
+ <row>
+ <entry><literal>sha512crypt</literal></entry>
+ <entry>unlimited</entry>
+ <entry>yes</entry>
+ <entry>up to 32</entry>
+ <entry>123</entry>
+ <entry>Adapted from publicly available reference implementation
+ <ulink url="https://www.akkadia.org/drepper/SHA-crypt.txt">Unix crypt using SHA-256 and SHA-512
+ </ulink>
+ </entry>
+ </row>
+
</tbody>
</tgroup>
</table>
@@ -245,7 +268,9 @@ gen_salt(type text [, iter_count integer ]) returns text
<para>
The <parameter>type</parameter> parameter specifies the hashing algorithm.
The accepted types are: <literal>des</literal>, <literal>xdes</literal>,
- <literal>md5</literal> and <literal>bf</literal>.
+ <literal>md5</literal>, <literal>bf</literal>, <literal>sha256crypt</literal> and
+ <literal>sha512crypt</literal>. The last two, <literal>sha256crypt</literal> and
+ <literal>sha512crypt</literal> are modern <literal>SHA-2</literal> based password hashes.
</para>
<para>
@@ -284,6 +309,12 @@ gen_salt(type text [, iter_count integer ]) returns text
<entry>4</entry>
<entry>31</entry>
</row>
+ <row>
+ <entry><literal>sha256crypt, sha512crypt</literal></entry>
+ <entry>5000</entry>
+ <entry>1000</entry>
+ <entry>999999999</entry>
+ </row>
</tbody>
</tgroup>
</table>
@@ -313,6 +344,14 @@ gen_salt(type text [, iter_count integer ]) returns text
<function>gen_salt</function>.
</para>
+ <para>
+ The default <parameter>iter_count</parameter> for <literal>sha256crypt</literal> and
+ <literal>sha512crypt</literal> of <literal>5000</literal> is considered too low for modern
+ hardware, but can be adjusted to generate stronger password hashes.
+ Otherwise both hashes, <literal>sha256crypt</literal> and <literal>sha512crypt</literal> are
+ considered safe.
+ </para>
+
<table id="pgcrypto-hash-speed-table">
<title>Hash Algorithm Speeds</title>
<tgroup cols="5">