Re: Maximum password length

Greetings,

* Bossart, Nathan (bossartn@amazon.com) wrote:
> I've attached 2 patches in an effort to clarify the upper bounds on
> password lengths:
>     - 0001 refactors the hard-coded 100 character buffer size used for
>       password prompts for client utilities into a
>       PROMPT_MAX_PASSWORD_LENGTH macro in postgres_fe.h.
>     - 0002 is an attempt at documenting the password length
>       restrictions and suggested workarounds for longer passwords.

If we're going to do work in this area, why wouldn't we have the client
tools and the server agree on the max length and then have them all be
consistent..?

Seems odd to decide that 100 character buffer size in the clients makes
sense and then make the server support an 8k password.

I'm also trying to figure out why it makes sense to support an 8k
password and if we've really tried seeing what happens if pg_authid gets
a toast table that's actually used for passwords...

I'll note your patches neglected to include any tests...

Thanks!

Stephen