Re: [PATCH] Add CHECK_FOR_INTERRUPTS in scram_SaltedPassword loop.

Daniel Gustafsson <daniel@yesql.se> writes:
>> On 22 Nov 2023, at 14:30, Aleksander Alekseev <aleksander@timescale.com> wrote:
>> It sort of makes sense. I wonder though if we should limit the maximum
>> number of iterations instead. If somebody specified 1_000_000+
>> iteration this could also indicate a user error.

> I don't think it would be useful to limit this at an arbitrary point, iteration
> count can be set per password and if someone want a specific password to be
> super-hard to brute force then why should we limit that?

Maybe because it could be used to construct a DOS scenario?  In
particular, since CHECK_FOR_INTERRUPTS doesn't work on the frontend
side, a situation like this wouldn't be interruptible there.

I agree with Aleksander that such cases are much more likely to
indicate user error than anything else.

            regards, tom lane