Re: WIP: SCRAM authentication

Bruce,

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Tue, Aug 18, 2015 at 09:30:39PM +0100, Greg Stark wrote:
> > > OK, that's an interesting argument. If SCRAM supports multiple
> > > password verifiers, and we support SCRAM, then I guess we should
> > > probably do that, too. I still don't like it all that much, though.
> > > I think it's absolutely inevitable that people are going to end up
> > > with an account with 3 or more different passwords that can all be
> > > used to log into it, and that won't be good. How do other systems
> > > avoid this pitfall?
> >
> > Fwiw having multiple passwords would make automated credential
> > rotations *so* much easier. Heroku has a really baroque solution to
> > this problem in Postgres involving creating new child roles and
> > swapping them around. My team in Google wasted many man hours dealing
> > with fallout from the quarterly password rotations.
>
> Coming in late, but can you explain how multiple passwords allow for
> easier automated credential rotation? If you have five applications
> with stored passwords, I imagine you can't change them all at once, so
> with multiples you could change it on one, then go to the others and
> change it there, and finally, remove the old password. Is that the
> process? I am not realizing that without multiple plasswords, this is a
> hard problem.

That's exactly the process if multiple passwords can be used. If
there's only one account and one password supported then you have to
change all the systems all at once and that certainly can be a hard
problem.

One way to deal with this is to have a bunch of different accounts, but
that's certainly not simple either and can get quite painful.

Thanks!

Stephen