If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.

From EDB Postgres Advanced Server Security Technical Implementation Guide

Associated with: CCI-000196

SV-83551r1_rule If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.

Vulnerability discussion

The DoD standard for authentication is DoD-approved PKI certificates.Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.In such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.

Check content

Execute the following SQL as enterprisedb: SHOW password_encryption; If the value is not "on", this is a finding.

Fix text

Execute the following SQL as enterprisedb: ALTER SYSTEM SET password_encryption = on; SELECT pg_reload_conf();

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.