Greetings, * Isaac Morland (isaac.morl...@gmail.com) wrote: > On Fri, 12 Oct 2018 at 16:52, Stephen Frost <sfr...@snowman.net> wrote: > > I'm also trying to figure out why it makes sense to support an 8k > > password and if we've really tried seeing what happens if pg_authid gets > > a toast table that's actually used for passwords... > > pg_authid.rolpassword stores a hash, so the password length does not affect > it.
I had been thinking about storing of plaintext passwords, which we certainly used to do, but forgot that we actually did remove that, finally, so this specific point isn't a concern any longer, though of course the rest is. > Of course, this also means that even in principle super-long passwords > don't increase security, since one "can" (again, in principle) brute-force > any password by guessing the first > not-very-many-more-than-the-total-number-of-distinct-hashes possible > passwords, starting with the shortest passwords and working up to longer > passwords. Well, as you say, length doesn't matter here, if all you're doing is enumerating all possible responses to the server. > It's also obvious that past a certain point, longer passwords don't help > anyway, because it's already enough to have a password that can't be > guessed in, say, the expected duration of the Earth's existence using all > the computing power currently available in the world. Not sure I really am all that keen to get into that debate. :) > I agree there should be a specific limit that is the same in libpq, on the > server, and in the protocol. Maybe 128 characters, to get a nice round > number? This is still way longer than the 32-byte SHA 256 hash. Or 64, > which is still plenty but doesn't involve extending the current character > buffer size to a longer value while still hugely exceeding the amount of > information in the hash. I certainly don't think that we should break things which do work today, which would include long plaintext passwords sent by clients. Even if our clients don't support >100 character passwords, if the server does, then someone might be using one. Thanks! Stephen
signature.asc
Description: PGP signature
