On Wed, Apr 26, 2017 at 10:56 AM, Bruce Momjian <br...@momjian.us> wrote:
> First, I don't think RFC references belong in the release notes, let
> alone RFC links.
>
> Second, there seems to be some confusion over what SCRAM-SHA-256 gives
> us over MD5.  I think there are a few benefits:
>
> o  packets cannot be replayed as easily, i.e. md5 replayed random salt
> packets with a 50% probability after 16k sessions
> o  hard to re-use SCRAM-SHA-256 string if disclosed vs. simple for md5
> o  harder to brute-force trying all possible strings to find a matching
> hash
>
> So if you tell users that SCRAM-SHA-256 is better than MD5 only because
> of one of those, they will not realize that three benefits of changing
> to SCRAM-SHA-256.  I might have even missed some benefits.

If the release notes keep a general tone, perhaps it would be better
to mention as well that SCRAM is the recommended password-based
authentication method moving forward?
-- 
Michael


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to