Re: Proposal: Support custom authentication methods using hooks

Greetings,

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Tue, Mar 1, 2022 at 08:31:19AM -0500, Stephen Frost wrote:
> > > The last time I played with this area is the recent error handling
> > > improvement with cryptohashes but MD5 has actually helped here in
> > > detecting the problem as a patched OpenSSL would complain if trying to
> > > use MD5 as hash function when FIPS is enabled.
> >
> > Having to continue to deal with md5 as an algorithm when it's known to
> > be notably less secure and so much so that organizations essentially ban
> > its use for exactly what we're using it for, in fact, another reason to
>
> Really? I thought it was publicly-visible MD5 hashes that were the
> biggest problem. Our 32-bit salt during the connection is a problem, of
> course.

Neither are good. Not sure that we really need to spend a lot of effort
trying to figure out which issue is the biggest problem.

> > remove it, not a reason to keep it. Better code coverage testing of
> > error paths is the answer to making sure that our error handling behaves
> > properly.
>
> What is the logic to removing md5 but keeping 'password'?

I don't think we should keep 'password'.

Thanks,

Stephen