Re: Possible to store invalid SCRAM-SHA-256 Passwords

On Tue, Apr 23, 2019 at 10:19:30AM -0400, Jonathan S. Katz wrote:
> - If you have an invalid SCRAM-SHA-256 password (e.g.
> SCRAM-SHA-256$1234), you would have been unable to log in anyway, so in
> all likelihood you would either have had an admin reset your password,
> or you gave up.
> - If you had a md5 hash with bogus characters in it, it'd be the above
> as well
>
> So likely it's been resolved in some way: the user has been issued a new
> password or has given up on PostgreSQL
>
> With that said, we could do something like:
>
> "To determine if this release affects an of your users ability to log in
> using either the SCRAM-SHA-256 on MD5 password based methods, you can
> run the following query:

s/an of/any of/.

> We advise that you reset the passwords for these users.

Sounds fine to me, thanks. I am not sure if we would want to have
something in the release notes, on a wiki page with the release notes
including a link to it, or just no direct mention in the release
notes. In the past, say for the issue with the incorrect VM page
references, we have been a wiki page with queries and such for
diagnostics.

> +1 for fixing so its consistent (at least from a behavior standpoint).
>
> I confirmed that it's in 9.5 & 9.4 as well.

Thanks for confirming, I am going to patch 9.4~9.6 with that.
--
Michael