Re: BUG #15911: Why no Bcrypt in pg_hba.conf?

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: raf <raf(at)raf(dot)org>
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #15911: Why no Bcrypt in pg_hba.conf?
Date: 2019-07-17 03:26:12
Message-ID: 20190717032612.GF2130@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Wed, Jul 17, 2019 at 09:22:42AM +1000, raf wrote:
> Tom Lane wrote:
>> Thus, we aren't going to add stuff on a whim, and when we do add some
>> new mechanism, there has to be a really solid argument that it's a
>> *significant* advance over what we have.

Agreed. Adding a new authentication method is a lot of work as this
extends the protocol, and still with SCRAM we are not done yet with
drivers not linked directly with libpq, and I have some experience in
the area.

> bcrypt is better than pbkdf2 but pbkdf2 is still good
> for the same reasons that bcrypt is good (brute force
> resistance). if you want bcrypt/scrypt/argon2, pbkdf2
> will probably be good enough. and some organisations
> may require pbkdf2 because it is NIST-approved while
> the others aren't.

Good, we use PBKDF2 for the password salting. If it is possible to
justify that this has much more benefits in the current practices, and
that we are still able to stick with the latest RFC specifications,
there may be an argument to get something done and improved, but I
don't quite see what that would be and more importantly if we actually
need to do so.
--
Michael

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Michael Paquier 2019-07-17 03:30:23 Re: BUG #15909: Doc for `initdb` on `--data-checksums` says "cannot be changed later", but *can* be in Pg 12.
Previous Message Andrew Gierth 2019-07-17 01:57:05 Re: BUG #15911: Why no Bcrypt in pg_hba.conf?