| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | raf(at)raf(dot)org, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Possible to store invalid SCRAM-SHA-256 Passwords |
| Date: | 2019-04-23 14:55:28 |
| Message-ID: | 30633.1556031328@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * raf(at)raf(dot)org (raf(at)raf(dot)org) wrote:
>> I don't think there's anything wrong with prefixing a
>> password hash with an identifier for the password
>> hashing scheme (and any parameters for that scheme).
>> This is done all the time in many systems. It just has
>> to be unambiguoous.
> There isn't a way to make it unambiguous given that we accept
> more-or-less anything as a plaintext password though, that would be the
> issue here..
In practice, particularly with the extra validation we just added,
it seems vanishingly unlikely that anyone would choose a password
that just happened to look like one of the hashed formats.
If somebody intentionally chooses such a password, well, it's on
their heads whether the outcome is what they want.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | GOLLET Nicolas | 2019-04-23 15:50:18 | RE: Re: Re: BUG #15769: The database cluster intialisation failed. |
| Previous Message | Stephen Frost | 2019-04-23 14:43:06 | Re: Possible to store invalid SCRAM-SHA-256 Passwords |