Re: Maximum password length

Nathan Bossart <bossartn@amazon.com>

From: "Bossart, Nathan" <bossartn@amazon.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Isaac Morland <isaac.morland@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2018-10-12T23:02:54Z
Lists: pgsql-hackers
On 10/12/18, 4:24 PM, "Stephen Frost" <sfrost@snowman.net> wrote:
> * Bossart, Nathan (bossartn@amazon.com) wrote:
>> My main motivation for suggesting the increase to 8k is to provide
>> flexibility for alternative authentication methods like LDAP, RADIUS,
>> PAM, and BSD.
>
> Specific use-cases here would be better than hand-waving at "these other
> things."  Last I checked, all of those work with what we've got today
> and I don't recall hearing complaints about them not working due to this
> limit.

The main one I am thinking of is generated security tokens.  It seems
reasonable to me to limit md5 and scram-sha-256 passwords to a much
shorter length, but I think the actual server message limit should be
somewhat more flexible.

Nathan

Commits

  1. Remove arbitrary restrictions on password length.

  2. Remove support for password_encryption='off' / 'plain'.