| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | raf(at)raf(dot)org |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Possible to store invalid SCRAM-SHA-256 Passwords |
| Date: | 2019-04-23 14:42:00 |
| Message-ID: | 20190423144159.GP6197@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Greetings,
* raf(at)raf(dot)org (raf(at)raf(dot)org) wrote:
> Stephen Frost wrote:
> > I agree we should also handle md5 better. I realize this needs to be
> > back-patched and so we have to deal with the existing catalog structure,
> > but this really screams out, in my mind anyway, that we shouldn't have
> > ever tried to just stash the password-encoding-type into the password
> > field and that we should have pulled it out into its own column, so that
> > we aren't having to guess about things as important as a password.
>
> I don't think there's anything wrong with prefixing a
> password hash with an identifier for the password
> hashing scheme (and any parameters for that scheme).
> This is done all the time in many systems. It just has
> to be unambiguoous.
There isn't a way to make it unambiguous given that we accept
more-or-less anything as a plaintext password though, that would be the
issue here..
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2019-04-23 14:43:06 | Re: Possible to store invalid SCRAM-SHA-256 Passwords |
| Previous Message | Jonathan S. Katz | 2019-04-23 14:19:30 | Re: Possible to store invalid SCRAM-SHA-256 Passwords |