| From: | raf <raf(at)raf(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #15911: Why no Bcrypt in pg_hba.conf? |
| Date: | 2019-07-16 23:22:42 |
| Message-ID: | 20190716232242.bvdu6w7jnk3fj237@raf.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Tom Lane wrote:
> Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk> writes:
> > "PG" == PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> > PG> Can you please add `bcrypt` as method option?
>
> > Not unless it gets added to the SCRAM specification.
>
> > Note that our primary goal here is to provide a secure and standard
> > challenge-response authentication mechanism, not to provide random
> > alternate algorithms for password storage.
>
> Worth noting here is that for us, the price of an additional
> authentication mechanism is very high, because it's not just a matter
> of adding some code to the server. Client-side libraries also need to
> be taught about it, and most of those are not maintained by the core
> PG project. So it takes years to make anything happen --- the
> addition of SCRAM is still a work in progress, for example.
>
> Thus, we aren't going to add stuff on a whim, and when we do add some
> new mechanism, there has to be a really solid argument that it's a
> *significant* advance over what we have.
>
> regards, tom lane
bcrypt is better than pbkdf2 but pbkdf2 is still good
for the same reasons that bcrypt is good (brute force
resistance). if you want bcrypt/scrypt/argon2, pbkdf2
will probably be good enough. and some organisations
may require pbkdf2 because it is NIST-approved while
the others aren't.
cheers,
raf
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Manuel Rigger | 2019-07-16 23:29:18 | BETWEEN SYMMETRIC condition results in "row is too big: ..., maximum size 8160" |
| Previous Message | Marco Sulla | 2019-07-16 20:44:32 | Re: BUG #15911: Why no Bcrypt in pg_hba.conf? |