Re: password_encryption default

Greetings,

* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Thu, May 28, 2020 at 8:53 AM Peter Eisentraut
> <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> > More along these lines: We could also remove the ENCRYPTED and
> > UNENCRYPTED keywords from CREATE and ALTER ROLE. AFAICT, these have
> > never been emitted by pg_dump or psql, so there are no concerns from
> > that end. Thoughts?
>
> I have a question about this. My understanding of this area isn't
> great. As I understand it, you can specify a password unencrypted and
> let the system compute the validator from it, or you can compute the
> validator yourself and then send that as the 'encrypted' password.
> But, apparently, CREATE ROLE and ALTER ROLE don't really know which
> thing you did. They just examine the string that you passed and decide
> whether it looks like a validator. If so, they assume it is; if not,
> they assume it's just a password.
>
> But that seems really odd. What if you choose a password that just
> happens to look like a validator? Perhaps that's not real likely, but
> why do we not permit -- or even require -- the user to specify intent?
> It seems out of character for us to, essentially, guess the meaning of
> something ambiguous rather than requiring the user to be clear about
> it.

Indeed, and it's also been a source of bugs... Watching pgcon atm but
I do recall some history around exactly this.

I'd certainly be in favor of having these things be more explicit-
including doing things like actually splitting out the actual password
validator from the algorithm instead of having them smashed together as
one string as if we don't know what columns are (also recall complaining
about that when scram was first being developed too, though that might
just be in my head).

Thanks,

Stephen