0

I noticed that postgres compares encrypted text using 'contain' and not 'equal'. To replicate use this:

create table "user" (uname text, password chkpass);
insert into "user" values ('user1', 'password')
select * from "user" where uname = 'user1' and password = 'password1'

This is a major issue.

Has anyone noticed that? can someone give me temporary solution please?

Eyedia Tech
  • 135
  • 1
  • 11
  • You forgot to ask a question. It looks more like a bug report, which you should take up with the developers of Postgres... – L. O. van Ingen Jun 07 '18 at 14:35
  • Sorry, I updated, as I cannot move out of postgres now, looking for any solution, even if it is temporary or some work around – Eyedia Tech Jun 08 '18 at 13:51

1 Answers1

0

It is not the bug. It is just a limitation of crypt() function which is internally used by the encryption.

I noticed that postgres compares encrypted text using 'contain' and not 'equal'.

It is not using 'contain' but rather it is checking the first eight character of the text which is being compared. As mention in the Documentation of chkpass

The encryption uses the standard Unix function crypt(), and so it suffers from all the usual limitations of that function; notably that only the first eight characters of a password are considered.

I would recommend you to use other algorithm to encrypt your password (as mention in this post) then storing it in the database rather than using postgres chkpass.

SABER
  • 373
  • 6
  • 17
  • hmm..Thank you! – Eyedia Tech Aug 30 '18 at 18:59
  • you can read this [link](https://www.postgresql.org/docs/8.3/static/pgcrypto.html) if you want to use pgcrypto module instead of chkpass. It provides plenty of cryptographic functions for postgresql. – SABER Aug 31 '18 at 05:41