Re: PG 10 release notes
| От | Michael Paquier |
|---|---|
| Тема | Re: PG 10 release notes |
| Дата | |
| Msg-id | CAB7nPqTJ+z0FyeJ2VdaPNA=XQaxmeM3WfnGbiCixt+q2hbNpaw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [HACKERS] PG 10 release notes (Bruce Momjian <bruce@momjian.us>) |
| Список | pgsql-hackers |
On Wed, Apr 26, 2017 at 10:56 AM, Bruce Momjian <bruce@momjian.us> wrote: > First, I don't think RFC references belong in the release notes, let > alone RFC links. > > Second, there seems to be some confusion over what SCRAM-SHA-256 gives > us over MD5. I think there are a few benefits: > > o packets cannot be replayed as easily, i.e. md5 replayed random salt > packets with a 50% probability after 16k sessions > o hard to re-use SCRAM-SHA-256 string if disclosed vs. simple for md5 > o harder to brute-force trying all possible strings to find a matching > hash > > So if you tell users that SCRAM-SHA-256 is better than MD5 only because > of one of those, they will not realize that three benefits of changing > to SCRAM-SHA-256. I might have even missed some benefits. If the release notes keep a general tone, perhaps it would be better to mention as well that SCRAM is the recommended password-based authentication method moving forward? -- Michael
В списке pgsql-hackers по дате отправления: