The SCRAM salt length is currently set as

/* length of salt when generating new verifiers */

without further comment.

I suspect that this length was chosen based on the example in RFC 5802
(SCRAM-SHA-1) section 5.  But the analogous example in RFC 7677
(SCRAM-SHA-256) section 3 uses a length of 16.  Should we use that instead?

Peter Eisentraut    
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to