On Tue, Apr 25, 2017 at 09:56:58PM -0400, Bruce Momjian wrote:
> > SCRAM-SHA-256 improves deficiencies of MD5 password hashing by
> > preventing any kind of pass-the-hash vulnerabilities, where a user
> > would be able to connect to a PostgreSQL instance by just knowing the
> > hash of a password and not the password itself.
>
> First, I don't think RFC references belong in the release notes, let
> alone RFC links.
>
> Second, there seems to be some confusion over what SCRAM-SHA-256 gives
> us over MD5. I think there are a few benefits:
>
> o packets cannot be replayed as easily, i.e. md5 replayed random salt
> packets with a 50% probability after 16k sessions ^^^
Sorry, it is after 64k sessions. The rule of thumb is that if you
choose from 2^x random values, you have a 50% chance of repeating one
after 2^(x/2) numbers.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +