Password Hashing Functions in pgcrypto

<function>gen_salt()</function> are specifically designed for hashing passwords. <function>crypt()</function> does the hashing and <function>gen_salt()</function> prepares algorithm parameters for it. </para> <para> The algorithms in <function>crypt()</function> differ from the usual MD5 or SHA-1 hashing algorithms in the following respects: </para> <orderedlist> <listitem> <para> They are slow. As the amount of data is so small, this is the only way to make brute-forcing passwords hard. </para> </listitem> <listitem> <para> They use a random value, called the <firstterm>salt</firstterm>, so that users having the same password will have different encrypted passwords. This is also an additional defense against reversing the algorithm. </para> </listitem> <listitem> <para> They include the algorithm type in the result, so passwords hashed with different algorithms can co-exist. </para> </listitem> <listitem> <para> Some of them are adaptive — that means when computers get faster, you can tune the algorithm to be slower, without introducing incompatibility with existing passwords. </para> </listitem> </orderedlist> <para> <xref linkend="pgcrypto-crypt-algorithms"/> lists the algorithms supported by the <function>crypt()</function> function. </para> <table id="pgcrypto-crypt-algorithms"> <title>Supported Algorithms for <function>crypt()</function></title> <tgroup cols="6"> <colspec colname="col1" colwidth="1.5*"/> <colspec colname="col2" colwidth="1.25*"/> <colspec colname="col3" colwidth="1*"/> <colspec colname="col4" colwidth="1*"/> <colspec colname="col5" colwidth="1*"/> <colspec colname="col6" colwidth="2.5*"/> <thead> <row> <entry>Algorithm</entry> <entry>Max Password Length</entry> <entry>Adaptive?</entry> <entry>Salt Bits</entry> <entry>Output Length</entry> <entry>Description</entry> </row> </thead> <tbody> <row> <entry><literal>bf</literal></entry> <entry>72</entry> <entry>yes</entry> <entry>128</entry> <entry>60</entry> <entry>Blowfish-based, variant 2a</entry> </row> <row> <entry><literal>md5</literal></entry> <entry>unlimited</entry> <entry>no</entry> <entry>48</entry> <entry>34</entry> <entry>MD5-based crypt</entry> </row> <row> <entry><literal>xdes</literal></entry> <entry>8</entry> <entry>yes</entry> <entry>24</entry> <entry>20</entry> <entry>Extended DES</entry> </row> <row> <entry><literal>des</literal></entry> <entry>8</entry> <entry>no</entry> <entry>12</entry> <entry>13</entry> <entry>Original UNIX crypt</entry> </row> <row> <entry><literal>sha256crypt</literal></entry> <entry>unlimited</entry> <entry>yes</entry> <entry>up to 32</entry> <entry>80</entry> <entry>Adapted from publicly available reference implementation <ulink url="https://www.akkadia.org/drepper/SHA-crypt.txt">Unix crypt using SHA-256 and SHA-512 </ulink> </entry> </row> <row> <entry><literal>sha512crypt</literal></entry> <entry>unlimited</entry> <entry>yes</entry> <entry>up to 32</entry> <entry>123</entry> <entry>Adapted from publicly available reference implementation <ulink url="https://www.akkadia.org/drepper/SHA-crypt.txt">Unix crypt using SHA-256 and SHA-512 </ulink> </entry> </row> </tbody> </tgroup> </table> <sect3 id="pgcrypto-password-hashing-funcs-crypt"> <title><function>crypt()</function></title> <indexterm> <primary>crypt</primary> </indexterm> <synopsis> crypt(password text, salt text) returns text </synopsis> <para> Calculates a crypt(3)-style hash

The pgcrypto module provides password hashing functions, including crypt() and gen_salt(), which use adaptive algorithms like Blowfish and SHA-256 to securely hash passwords, and support various parameters such as salt values and output lengths to prevent brute-forcing and enhance security.