From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | raf(at)raf(dot)org, pgsql-bugs(at)lists(dot)postgresql(dot)org |
Subject: | Re: Possible to store invalid SCRAM-SHA-256 Passwords |
Date: | 2019-04-23 14:55:28 |
Message-ID: | 30633.1556031328@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * raf(at)raf(dot)org (raf(at)raf(dot)org) wrote:
>> I don't think there's anything wrong with prefixing a
>> password hash with an identifier for the password
>> hashing scheme (and any parameters for that scheme).
>> This is done all the time in many systems. It just has
>> to be unambiguoous.
> There isn't a way to make it unambiguous given that we accept
> more-or-less anything as a plaintext password though, that would be the
> issue here..
In practice, particularly with the extra validation we just added,
it seems vanishingly unlikely that anyone would choose a password
that just happened to look like one of the hashed formats.
If somebody intentionally chooses such a password, well, it's on
their heads whether the outcome is what they want.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | GOLLET Nicolas | 2019-04-23 15:50:18 | RE: Re: Re: BUG #15769: The database cluster intialisation failed. |
Previous Message | Stephen Frost | 2019-04-23 14:43:06 | Re: Possible to store invalid SCRAM-SHA-256 Passwords |