[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postgresql-hackers
Subject:    Re: [HACKERS] Changing references of password encryption to hashing
From:       Robert Haas <robertmhaas () gmail ! com>
Date:       2023-11-30 17:16:01
Message-ID: CA+TgmoYLs3RsN_i_PEnS6MsRJvY_Cy=f+W7Yx=dQkDQXEKHBhQ () mail ! gmail ! com
[Download RAW message or body]

On Wed, Nov 29, 2023 at 5:02 PM Nathan Bossart <nathandbossart@gmail.com> wrote:
> On Wed, Nov 29, 2023 at 04:02:11PM -0500, Robert Haas wrote:
> > I'd fully support having good documentation that says "hey, here are
> > the low security authentication configurations, here are the
> > medium-security ones, here are the high security ones, and here's why
> > these ones are better than those ones and what they protect against
> > and what risks remain." That would be awesome.
>
> +1.  IMO the "Password Authentication" section [0] does this pretty well
> already.

That's limited to just the password-based methods, though, so some
broader discussion of the whole suite of available techniques could be
useful. It does call out the known weaknesses of the md5 and password,
though, which is good.

-- 
Robert Haas
EDB: http://www.enterprisedb.com


[prev in list] [next in list] [prev in thread] [next in thread]