On Sun, 12 Jan 2025 at 17:59, Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
"Peter J. Holzer" <hjp-pgsql@xxxxxx> writes:
> The web framework Django will automatically and transparently rehash any
> password with the currently preferred algorithm if it isn't stored that
> way already.
Really? That implies that the framework has access to the original
cleartext password, which is a security fail already.
It happens upon user login. If the user's password is hashed with an old algorithm, it is re-hashed during login when the Django application running on the Web server has the password sent by the user:
But of course this only works if the old method in use involves sending the password to the server.
