re: Postgres gen_salt: how can I later compare plaintext if the salt is random?

Question

I think the title says it all, but how does this work?

If a salt is generated randomly, wouldn't that make it impossible to later compare?

I'm following these docs: https://www.postgresql.org/docs/current/static/pgcrypto.html (F.25.2. Password Hashing Functions)

score 1 · Answer 1 · edited May 23 '17 at 11:45

1

Re: @erickson 's answer here How can bcrypt have built-in salts?

it appears that the hashing algorithm used is recorded in the encrypted string that is produced from the hash action. Can anyone confirm this works the same way for postgres?

edited May 23 '17 at 11:45

Community

1
1

answered Feb 12 '17 at 16:59

itchyspacesuit

125
11

According to the documentation, yes. You need to do `SELECT pswhash = crypt('entered password', pswhash)` (where `pswhash` is a column/value in the database) to re-check passwords. (If you look closely, you can see that the "hash" is used in place of the `gen_salt()` call upon checking). – pozs Feb 13 '17 at 14:47

re: Postgres gen_salt: how can I later compare plaintext if the salt is random?

1 Answers1