Re: WIP: SCRAM authentication

On Tue, Aug 18, 2015 at 09:30:39PM +0100, Greg Stark wrote:
> > OK, that's an interesting argument.  If SCRAM supports multiple
> > password verifiers, and we support SCRAM, then I guess we should
> > probably do that, too.  I still don't like it all that much, though.
> > I think it's absolutely inevitable that people are going to end up
> > with an account with 3 or more different passwords that can all be
> > used to log into it, and that won't be good.  How do other systems
> > avoid this pitfall?
> 
> Fwiw having multiple passwords would make automated credential
> rotations *so* much easier. Heroku has a really baroque solution to
> this problem in Postgres involving creating new child roles and
> swapping them around. My team in Google wasted many man hours dealing
> with fallout from the quarterly password rotations.

Coming in late, but can you explain how multiple passwords allow for
easier automated credential rotation?  If you have five applications
with stored passwords, I imagine you can't change them all at once, so
with multiples you could change it on one, then go to the others and
change it there, and finally, remove the old password.  Is that the
process?  I am not realizing that without multiple plasswords, this is a
hard problem.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +