| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Greg Stark <stark(at)mit(dot)edu>, Robert Haas <robertmhaas(at)gmail(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: WIP: SCRAM authentication |
| Date: | 2015-09-05 00:31:47 |
| Message-ID: | 20150905003147.GD21484@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Sep 4, 2015 at 04:51:33PM -0400, Stephen Frost wrote:
> > Coming in late, but can you explain how multiple passwords allow for
> > easier automated credential rotation? If you have five applications
> > with stored passwords, I imagine you can't change them all at once, so
> > with multiples you could change it on one, then go to the others and
> > change it there, and finally, remove the old password. Is that the
> > process? I am not realizing that without multiple plasswords, this is a
> > hard problem.
>
> That's exactly the process if multiple passwords can be used. If
> there's only one account and one password supported then you have to
> change all the systems all at once and that certainly can be a hard
> problem.
>
> One way to deal with this is to have a bunch of different accounts, but
> that's certainly not simple either and can get quite painful.
OK, for me, if we can explain the benefit for users, it seems worth
doing just to allow that.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tatsuo Ishii | 2015-09-05 00:46:04 | Re: BRIN INDEX value |
| Previous Message | Bruce Momjian | 2015-09-04 23:43:03 | Re: Proposal: Implement failover on libpq connect level. |