| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Andreas Karlsson <andreas(at)proxel(dot)se>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: PG 10 release notes |
| Date: | 2017-04-26 02:06:03 |
| Message-ID: | CAB7nPqTJ+z0FyeJ2VdaPNA=XQaxmeM3WfnGbiCixt+q2hbNpaw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Apr 26, 2017 at 10:56 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> First, I don't think RFC references belong in the release notes, let
> alone RFC links.
>
> Second, there seems to be some confusion over what SCRAM-SHA-256 gives
> us over MD5. I think there are a few benefits:
>
> o packets cannot be replayed as easily, i.e. md5 replayed random salt
> packets with a 50% probability after 16k sessions
> o hard to re-use SCRAM-SHA-256 string if disclosed vs. simple for md5
> o harder to brute-force trying all possible strings to find a matching
> hash
>
> So if you tell users that SCRAM-SHA-256 is better than MD5 only because
> of one of those, they will not realize that three benefits of changing
> to SCRAM-SHA-256. I might have even missed some benefits.
If the release notes keep a general tone, perhaps it would be better
to mention as well that SCRAM is the recommended password-based
authentication method moving forward?
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2017-04-26 02:13:00 | Re: PG 10 release notes |
| Previous Message | Amit Langote | 2017-04-26 02:05:27 | Re: Dropping a partitioned table takes too long |