| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
| Cc: | sfrost(at)snowman(dot)net, bossartn(at)amazon(dot)com, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Maximum password length |
| Date: | 2018-10-12 21:22:50 |
| Message-ID: | 373.1539379370@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Isaac Morland <isaac(dot)morland(at)gmail(dot)com> writes:
> On Fri, 12 Oct 2018 at 16:52, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> I'm also trying to figure out why it makes sense to support an 8k
>> password and if we've really tried seeing what happens if pg_authid gets
>> a toast table that's actually used for passwords...
> ...
> It's also obvious that past a certain point, longer passwords don't help
> anyway, because it's already enough to have a password that can't be
> guessed in, say, the expected duration of the Earth's existence using all
> the computing power currently available in the world.
And, of course, who is really going to type a password longer than a
couple dozen characters? And get it right reliably, when they can't
see what they're typing? But even if you assume the password is never
manually entered but just lives in somebody's .pgpass, it's pointless
to make it so long. Then the attacker will just switch to brute-forcing
the user's login password, or whereever along the chain there actually
is a manually-entered password.
I concur that we might as well standardize on something in the range
of 64 to 100 characters. 1K is silly, even if somewhere there is a
spec that allows it.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2018-10-12 21:23:38 | Re: Maximum password length |
| Previous Message | Stephen Frost | 2018-10-12 21:22:14 | Re: Maximum password length |