> On 23 May 2023, at 23:02, Stephen Frost <sfr...@snowman.net> wrote: > * Jacob Champion (jchamp...@timescale.com) wrote:
>> - low iteration counts accepted by the client make it easier than it >> probably should be for a MITM to brute-force passwords (note that >> PG16's scram_iterations GUC, being server-side, does not mitigate >> this) > > This would be good to improve on. The mechanics of this are quite straighforward, the problem IMHO lies in how to inform and educate users what a reasonable iteration count is, not to mention what an iteration count is in the first place. > Perhaps more succinctly- maybe we should be making adjustments to the > current language instead of just adding a new paragraph. +1 -- Daniel Gustafsson
