The SCRAM salt length is currently set as /* length of salt when generating new verifiers */ #define SCRAM_DEFAULT_SALT_LEN 12
without further comment. I suspect that this length was chosen based on the example in RFC 5802 (SCRAM-SHA-1) section 5. But the analogous example in RFC 7677 (SCRAM-SHA-256) section 3 uses a length of 16. Should we use that instead? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
