Home > mailing lists

Re: Docs: Encourage strong server verification with SCRAM - Mailing list pgsql-hackers

From	Daniel Gustafsson
Subject	Re: Docs: Encourage strong server verification with SCRAM
Date	May 24, 2023 15:04:26
Msg-id	69EC75B8-3A75-43D9-9A2A-61BF6571247B@yesql.se Whole thread Raw
In response to	Re: Docs: Encourage strong server verification with SCRAM (Stephen Frost <sfrost@snowman.net>)
Responses	Re: Docs: Encourage strong server verification with SCRAM
List	pgsql-hackers

Tree view

> On 23 May 2023, at 23:02, Stephen Frost <sfrost@snowman.net> wrote:
> * Jacob Champion (jchampion@timescale.com) wrote:

>> - low iteration counts accepted by the client make it easier than it
>> probably should be for a MITM to brute-force passwords (note that
>> PG16's scram_iterations GUC, being server-side, does not mitigate
>> this)
>
> This would be good to improve on.

The mechanics of this are quite straighforward, the problem IMHO lies in how to
inform and educate users what a reasonable iteration count is, not to mention
what an iteration count is in the first place.

> Perhaps more succinctly- maybe we should be making adjustments to the
> current language instead of just adding a new paragraph.

+1

--
Daniel Gustafsson

pgsql-hackers by date:

From: "Drouvot, Bertrand"
Date: 24 May 2023, 14:58:54
Subject: Re: pgsql: TAP test for logical decoding on standby

From: Robert Haas
Date: 24 May 2023, 15:22:08
Subject: Re: Atomic ops for unlogged LSN

Re: Docs: Encourage strong server verification with SCRAM - Mailing list pgsql-hackers

Previous

Next