On 12/14/22 6:52 PM, Michael Paquier wrote:
On Wed, Dec 14, 2022 at 01:59:04PM -0500, Jonathan S. Katz wrote:
HA-256 that we will just need to pick up?
My point is you can write a hook to reject the password if the iteration count is "too low". Not to re-hash the password.The attached v2 has the GUC rename and a change to GUC_REPORT such that the frontend can use the real value rather than the default. I kept it for super users so far, do you think it should be a user setting being somewhat sensitive?No, because a user can set the number of iterations today if they build their own SCRAM secret. I think it's OK if they change it in a session. If a superuser wants to enforce a minimum iteration count, they can write a password_check_hook. (Or we could add another GUC to enforce that).Hm? check_password_hook does not allow one to recompile the password given by the user, except if I am missing your point?
Thanks, Jonathan
OpenPGP_signature
Description: OpenPGP digital signature
