On 08/08/2015 04:27 PM, Robert Haas wrote:
I don't see that there's any good reason to allow the same password to be stored in the catalog encrypted more than one way,
Sure there is. If you want to be able to authenticate using different mechanism, you need the same password "encrypted" in different ways. SCRAM uses verifier that's derived from the password in one way, MD5 authentication needs an MD5 hash, and yet other protocols have other requirements.
and I don't think there's any good reason to introduce the PASSWORD VERIFIER terminology. I think we should store (1) your password, either encrypted or unencrypted; and (2) the method used to encrypt it. And that's it.
Like Joe and Stephen, I actually find it highly confusing that we call the MD5 hash an "encrypted password". The term "password verifier" is fairly common in the specifications of authentication mechanisms. I think we should adopt it.
- Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
