Re: Maximum password length

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Bossart, Nathan" <bossartn@amazon.com>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Alexander Kukushkin <cyberdemn@gmail.com>, Stephen Frost <sfrost@snowman.net>, "isaac.morland@gmail.com" <isaac.morland@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2020-09-03T21:07:24Z
Lists: pgsql-hackers
"Bossart, Nathan" <bossartn@amazon.com> writes:
> On 9/3/20, 10:19 AM, "Tom Lane" <tgl@sss.pgh.pa.us> wrote:
> +               char            pwdbuf[8192];

> If I am reading correctly, this would be the only defined password
> length limit once this patch is applied.  While it's probably unlikely
> that this will cause problems for anybody anytime soon, is there any
> reason not to give this the same treatment as the .pgpass code and
> remove the line length limit altogether?

Yeah, it just didn't quite seem worthwhile there, given the adjacent
comment that clearly says that this is second-class-citizen code:

         * Ideally this should insist that the file not be world-readable.
         * However, this option is mainly intended for use on Windows where
         * file permissions may not exist at all, so we'll skip the paranoia
         * for now.

If you insist, I'll change it, but it seems even less likely to ever
matter to anybody than the changes to make simple_prompt accept
indefinitely long passwords.  (Perhaps a reasonable compromise
is to extend this comment to note that we're also not bothering
to support indefinitely long passwords.)

			regards, tom lane



Commits

  1. Remove arbitrary restrictions on password length.

  2. Remove support for password_encryption='off' / 'plain'.