| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Jacob Champion <jchampion(at)timescale(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, Michael Paquier <michael(at)paquier(dot)xyz> |
| Subject: | Re: Docs: Encourage strong server verification with SCRAM |
| Date: | 2023-05-24 12:04:26 |
| Message-ID: | 69EC75B8-3A75-43D9-9A2A-61BF6571247B@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 23 May 2023, at 23:02, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Jacob Champion (jchampion(at)timescale(dot)com) wrote:
>> - low iteration counts accepted by the client make it easier than it
>> probably should be for a MITM to brute-force passwords (note that
>> PG16's scram_iterations GUC, being server-side, does not mitigate
>> this)
>
> This would be good to improve on.
The mechanics of this are quite straighforward, the problem IMHO lies in how to
inform and educate users what a reasonable iteration count is, not to mention
what an iteration count is in the first place.
> Perhaps more succinctly- maybe we should be making adjustments to the
> current language instead of just adding a new paragraph.
+1
--
Daniel Gustafsson
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2023-05-24 12:22:08 | Re: Atomic ops for unlogged LSN |
| Previous Message | Drouvot, Bertrand | 2023-05-24 11:58:54 | Re: pgsql: TAP test for logical decoding on standby |