Skip to content

Commit ad14919

Browse files
peterepetere
committed
doc: Update mentions of MD5 in the documentation
Reported-by: Shay Rojansky <roji@roji.org>
1 parent cf1cba3 commit ad14919

File tree

1 file changed

+9
-25
lines changed

1 file changed

+9
-25
lines changed

doc/src/sgml/runtime.sgml

Lines changed: 9 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -2023,16 +2023,18 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
20232023
<variablelist>
20242024

20252025
<varlistentry>
2026-
<term>Password Storage Encryption</term>
2026+
<term>Password Encryption</term>
20272027
<listitem>
20282028

20292029
<para>
2030-
By default, database user passwords are stored as MD5 hashes, so
2031-
the administrator cannot determine the actual password assigned
2032-
to the user. If MD5 encryption is used for client authentication,
2033-
the unencrypted password is never even temporarily present on the
2034-
server because the client MD5-encrypts it before being sent
2035-
across the network.
2030+
Database user passwords are stored as hashes (determined by the setting
2031+
<xref linkend="guc-password-encryption"/>), so the administrator cannot
2032+
determine the actual password assigned to the user. If SCRAM or MD5
2033+
encryption is used for client authentication, the unencrypted password is
2034+
never even temporarily present on the server because the client encrypts
2035+
it before being sent across the network. SCRAM is preferred, because it
2036+
is an Internet standard and is more secure than the PostgreSQL-specific
2037+
MD5 authentication protocol.
20362038
</para>
20372039
</listitem>
20382040
</varlistentry>
@@ -2086,24 +2088,6 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
20862088
</listitem>
20872089
</varlistentry>
20882090

2089-
<varlistentry>
2090-
<term>Encrypting Passwords Across A Network</term>
2091-
2092-
<listitem>
2093-
<para>
2094-
The <literal>MD5</literal> authentication method double-encrypts the
2095-
password on the client before sending it to the server. It first
2096-
MD5-encrypts it based on the user name, and then encrypts it
2097-
based on a random salt sent by the server when the database
2098-
connection was made. It is this double-encrypted value that is
2099-
sent over the network to the server. Double-encryption not only
2100-
prevents the password from being discovered, it also prevents
2101-
another connection from using the same encrypted password to
2102-
connect to the database server at a later time.
2103-
</para>
2104-
</listitem>
2105-
</varlistentry>
2106-
21072091
<varlistentry>
21082092
<term>Encrypting Data Across A Network</term>
21092093

0 commit comments

Comments
 (0)