Re: WIP: SCRAM authentication

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: WIP: SCRAM authentication
Date: 2015-08-08 17:23:42
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 08/08/2015 04:27 PM, Robert Haas wrote:
> I don't see that there's any good reason to allow the same password to
> be stored in the catalog encrypted more than one way,

Sure there is. If you want to be able to authenticate using different
mechanism, you need the same password "encrypted" in different ways.
SCRAM uses verifier that's derived from the password in one way, MD5
authentication needs an MD5 hash, and yet other protocols have other

> and I don't think there's any good reason to introduce the PASSWORD
> VERIFIER terminology. I think we should store (1) your password,
> either encrypted or unencrypted; and (2) the method used to encrypt
> it. And that's it.

Like Joe and Stephen, I actually find it highly confusing that we call
the MD5 hash an "encrypted password". The term "password verifier" is
fairly common in the specifications of authentication mechanisms. I
think we should adopt it.

- Heikki

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Heikki Linnakangas 2015-08-08 17:49:03 Re: checkpointer continuous flushing
Previous Message Noah Misch 2015-08-08 16:47:28 Test code is worth the space