Re: WIP: SCRAM authentication

On Fri, Aug 7, 2015 at 6:54 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> This filtering machinery definitely looks like a GUC to me, something
> like password_forbidden_encryption that PASSWORD VERIFIERS looks at
> and discards the methods listed in there. This definitely needs to be
> separated from password_encryption.

I don't know what a "password verifier" is and I bet nobody else does
either.  Well, I think I sort of know: I think it's basically an
encrypted password.  Am I right?  Even if I am, I bet the average user
is going to scratch their head and punt.

I don't see that there's any good reason to allow the same password to
be stored in the catalog encrypted more than one way, and I don't
think there's any good reason to introduce the PASSWORD VERIFIER
terminology.  I think we should store (1) your password, either
encrypted or unencrypted; and (2) the method used to encrypt it.  And
that's it.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company