On Tue, Apr 25, 2017 at 09:56:58PM -0400, Bruce Momjian wrote:
> > SCRAM-SHA-256 improves deficiencies of MD5 password hashing by
> > preventing any kind of pass-the-hash vulnerabilities, where a user
> > would be able to connect to a PostgreSQL instance by just knowing the
> > hash of a password and not the password itself.
> First, I don't think RFC references belong in the release notes, let
> alone RFC links.
> Second, there seems to be some confusion over what SCRAM-SHA-256 gives
> us over MD5.  I think there are a few benefits:
> o  packets cannot be replayed as easily, i.e. md5 replayed random salt
> packets with a 50% probability after 16k sessions

Sorry, it is after 64k sessions.  The rule of thumb is that if you
choose from 2^x random values, you have a 50% chance of repeating one
after 2^(x/2) numbers.

  Bruce Momjian  <br...@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to