Re: Maximum password length
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Bossart, Nathan" <bossartn@amazon.com>
Cc: Stephen Frost <sfrost@snowman.net>,
Isaac Morland <isaac.morland@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2018-10-13T00:02:00Z
Lists: pgsql-hackers
"Bossart, Nathan" <bossartn@amazon.com> writes: > On 10/12/18, 4:24 PM, "Stephen Frost" <sfrost@snowman.net> wrote: >> Specific use-cases here would be better than hand-waving at "these other >> things." Last I checked, all of those work with what we've got today >> and I don't recall hearing complaints about them not working due to this >> limit. > The main one I am thinking of is generated security tokens. It seems > reasonable to me to limit md5 and scram-sha-256 passwords to a much > shorter length, but I think the actual server message limit should be > somewhat more flexible. Sure, but even a generated security token seems unlikely to be more than a couple dozen bytes long. What's the actual use-case for tokens longer than that? ISTM that a limit around 100 bytes already has a whole lot of headroom. regards, tom lane
Commits
-
Remove arbitrary restrictions on password length.
- 67a472d71c98 14.0 landed
-
Remove support for password_encryption='off' / 'plain'.
- eb61136dc75a 10.0 cited