| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jeff Davis <pgsql(at)j-davis(dot)com>, samay sharma <smilingsamay(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Proposal: Support custom authentication methods using hooks |
| Date: | 2022-03-02 14:55:15 |
| Message-ID: | Yh+FU5vQZYoaOrMl@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Mar 1, 2022 at 08:31:19AM -0500, Stephen Frost wrote:
> > The last time I played with this area is the recent error handling
> > improvement with cryptohashes but MD5 has actually helped here in
> > detecting the problem as a patched OpenSSL would complain if trying to
> > use MD5 as hash function when FIPS is enabled.
>
> Having to continue to deal with md5 as an algorithm when it's known to
> be notably less secure and so much so that organizations essentially ban
> its use for exactly what we're using it for, in fact, another reason to
Really? I thought it was publicly-visible MD5 hashes that were the
biggest problem. Our 32-bit salt during the connection is a problem, of
course.
> remove it, not a reason to keep it. Better code coverage testing of
> error paths is the answer to making sure that our error handling behaves
> properly.
What is the logic to removing md5 but keeping 'password'?
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joshua Brindle | 2022-03-02 14:58:16 | [PoC/RFC] Multiple passwords, interval expirations |
| Previous Message | Pavel Borisov | 2022-03-02 14:43:11 | Re: Add 64-bit XIDs into PostgreSQL 15 |