jpig_password - A PostgreSQL database component for end-user password validation.

jpig_password is a set of PostgreSQL elements designed to provide a flexible and adaptable best-working-practice for password storage and cleanliness.

Why ?

There are two main targets that this project is predominantly aimed at

The first is for new applications that would like to build in a strong adaptable password framework where all the policy decisions are clearly laid out and easily managed.

The second is to provide a way to integrate better password management into an existing web application.

Many web applications that use databases with a user database but the application only knows a simple storage mechanism. These formats are frequently chosen because that is all the application library has to hand. The hashing technique is usually considerd insecure by the time ths application is released and does not have the ability to be easily upgraded.

This component was designed to provide a layer to an existing application that could not only handle just such a selection of legacy formats, but also provide and automatic, transparent storage upgrade mechanism.

Features

The functionality is built on the pgcrypto module and currently limited by the capabilities of the build on your database machine.

Current supported storage formats on a Centos-7 machines include

• Crypt
• Salted SHA1 with 8 or 16 bytes of salt
• Salted SHA256 with 8 or 16 bytes of salt

Handling of a given format is data driven allowing for easy extension.

In addition the aim is to provide additional functionality that would now normally be easy to add. Forced password change, TOTP and the ability to upgrade the default storage format as conditions change.