| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Bossart, Nathan" <bossartn(at)amazon(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Isaac Morland <isaac(dot)morland(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Maximum password length |
| Date: | 2018-10-13 00:02:00 |
| Message-ID: | 29496.1539388920@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Bossart, Nathan" <bossartn(at)amazon(dot)com> writes:
> On 10/12/18, 4:24 PM, "Stephen Frost" <sfrost(at)snowman(dot)net> wrote:
>> Specific use-cases here would be better than hand-waving at "these other
>> things." Last I checked, all of those work with what we've got today
>> and I don't recall hearing complaints about them not working due to this
>> limit.
> The main one I am thinking of is generated security tokens. It seems
> reasonable to me to limit md5 and scram-sha-256 passwords to a much
> shorter length, but I think the actual server message limit should be
> somewhat more flexible.
Sure, but even a generated security token seems unlikely to be more
than a couple dozen bytes long. What's the actual use-case for tokens
longer than that? ISTM that a limit around 100 bytes already has a
whole lot of headroom.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2018-10-13 00:12:33 | Re: [HACKERS] removing abstime, reltime, tinterval.c, spi/timetravel |
| Previous Message | Tom Lane | 2018-10-12 23:47:40 | Re: [HACKERS] removing abstime, reltime, tinterval.c, spi/timetravel |