Re: BUG #15911: Why no Bcrypt in pg_hba.conf?

Tom Lane wrote:

> Andrew Gierth <andrew@tao11.riddles.org.uk> writes:
> > "PG" == PG Bug reporting form <noreply@postgresql.org> writes:
> >  PG> Can you please add `bcrypt` as method option?
> 
> > Not unless it gets added to the SCRAM specification.
> 
> > Note that our primary goal here is to provide a secure and standard
> > challenge-response authentication mechanism, not to provide random
> > alternate algorithms for password storage.
> 
> Worth noting here is that for us, the price of an additional
> authentication mechanism is very high, because it's not just a matter
> of adding some code to the server.  Client-side libraries also need to
> be taught about it, and most of those are not maintained by the core
> PG project.  So it takes years to make anything happen --- the
> addition of SCRAM is still a work in progress, for example.
> 
> Thus, we aren't going to add stuff on a whim, and when we do add some
> new mechanism, there has to be a really solid argument that it's a
> *significant* advance over what we have.
> 
>             regards, tom lane

bcrypt is better than pbkdf2 but pbkdf2 is still good
for the same reasons that bcrypt is good (brute force
resistance). if you want bcrypt/scrypt/argon2, pbkdf2
will probably be good enough. and some organisations
may require pbkdf2 because it is NIST-approved while
the others aren't.

cheers,
raf