diff options
| author | Álvaro Herrera <alvherre@alvh.no-ip.org> | 2025-04-05 19:16:58 +0200 |
|---|---|---|
| committer | Álvaro Herrera <alvherre@alvh.no-ip.org> | 2025-04-05 19:17:13 +0200 |
| commit | 749a9e20c9790006f3af47f7a8faf4ad8dc358d9 (patch) | |
| tree | f06c2be00fe91ac6edead896d7981b8b4c76b11e /doc/src | |
| parent | e33f2335a9d9754ccf3bf7181085cfa581ee03c3 (diff) | |
| download | postgresql-749a9e20c9790006f3af47f7a8faf4ad8dc358d9.tar.gz postgresql-749a9e20c9790006f3af47f7a8faf4ad8dc358d9.zip | |
Add modern SHA-2 based password hashes to pgcrypto.
This adapts the publicly available reference implementation on
https://www.akkadia.org/drepper/SHA-crypt.txt and adds the new hash
algorithms sha256crypt and sha512crypt to crypt() and gen_salt()
respectively.
Author: Bernd Helmle <mailings@oopsware.de>
Reviewed-by: Japin Li <japinli@hotmail.com>
Discussion: https://postgr.es/m/c763235a2757e2f5f9e3e27268b9028349cef659.camel@oopsware.de
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/pgcrypto.sgml | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml index f87668dfaed..b567b5c16e8 100644 --- a/doc/src/sgml/pgcrypto.sgml +++ b/doc/src/sgml/pgcrypto.sgml @@ -189,6 +189,29 @@ hmac(data bytea, key bytea, type text) returns bytea <entry>13</entry> <entry>Original UNIX crypt</entry> </row> + <row> + <entry><literal>sha256crypt</literal></entry> + <entry>unlimited</entry> + <entry>yes</entry> + <entry>up to 32</entry> + <entry>80</entry> + <entry>Adapted from publicly available reference implementation + <ulink url="https://www.akkadia.org/drepper/SHA-crypt.txt">Unix crypt using SHA-256 and SHA-512 + </ulink> + </entry> + </row> + <row> + <entry><literal>sha512crypt</literal></entry> + <entry>unlimited</entry> + <entry>yes</entry> + <entry>up to 32</entry> + <entry>123</entry> + <entry>Adapted from publicly available reference implementation + <ulink url="https://www.akkadia.org/drepper/SHA-crypt.txt">Unix crypt using SHA-256 and SHA-512 + </ulink> + </entry> + </row> + </tbody> </tgroup> </table> @@ -245,7 +268,9 @@ gen_salt(type text [, iter_count integer ]) returns text <para> The <parameter>type</parameter> parameter specifies the hashing algorithm. The accepted types are: <literal>des</literal>, <literal>xdes</literal>, - <literal>md5</literal> and <literal>bf</literal>. + <literal>md5</literal>, <literal>bf</literal>, <literal>sha256crypt</literal> and + <literal>sha512crypt</literal>. The last two, <literal>sha256crypt</literal> and + <literal>sha512crypt</literal> are modern <literal>SHA-2</literal> based password hashes. </para> <para> @@ -284,6 +309,12 @@ gen_salt(type text [, iter_count integer ]) returns text <entry>4</entry> <entry>31</entry> </row> + <row> + <entry><literal>sha256crypt, sha512crypt</literal></entry> + <entry>5000</entry> + <entry>1000</entry> + <entry>999999999</entry> + </row> </tbody> </tgroup> </table> @@ -313,6 +344,14 @@ gen_salt(type text [, iter_count integer ]) returns text <function>gen_salt</function>. </para> + <para> + The default <parameter>iter_count</parameter> for <literal>sha256crypt</literal> and + <literal>sha512crypt</literal> of <literal>5000</literal> is considered too low for modern + hardware, but can be adjusted to generate stronger password hashes. + Otherwise both hashes, <literal>sha256crypt</literal> and <literal>sha512crypt</literal> are + considered safe. + </para> + <table id="pgcrypto-hash-speed-table"> <title>Hash Algorithm Speeds</title> <tgroup cols="5"> |