Re: Docs: Encourage strong server verification with SCRAM

> On 23 May 2023, at 23:02, Stephen Frost <sfrost@snowman.net> wrote:
> * Jacob Champion (jchampion@timescale.com) wrote:

>> - low iteration counts accepted by the client make it easier than it
>> probably should be for a MITM to brute-force passwords (note that
>> PG16's scram_iterations GUC, being server-side, does not mitigate
>> this)
>
> This would be good to improve on.

The mechanics of this are quite straighforward, the problem IMHO lies in how to
inform and educate users what a reasonable iteration count is, not to mention
what an iteration count is in the first place.

> Perhaps more succinctly- maybe we should be making adjustments to the
> current language instead of just adding a new paragraph.

+1

--
Daniel Gustafsson