Re: Raising the SCRAM iteration count

> On 12 Dec 2022, at 15:47, Jonathan S. Katz <jkatz@postgresql.org> wrote:

> To throw on a bit of paint, if we do change it, we should likely follow what would come out in a RFC.
>
> While the SCRAM-SHA-512 RFC is still in draft[1], the latest draft it contains a "SHOULD" recommendation of 10000,
whichwas bumped up from 4096 in an earlier version of the draft: 

This is however the draft for a different algorithm: SCRAM-SHA-512.  We are
supporting SCRAM-SHA-256 which is defined in RFC7677.  The slightly lower
recommendation there makes sense as SHA-512 is more computationally expensive
than SHA-256.

It does raise an interesting point though, if we in the future add suppprt for
SCRAM-SHA-512 (which seems reasonable to do) it's not good enough to have a
single GUC for SCRAM iterations; we'd need to be able to set the iteration
count per algorithm. I'll account for that when updating the patch downthread.

--
Daniel Gustafsson        https://vmware.com/