Re: Possible to store invalid SCRAM-SHA-256 Passwords

Greetings,

* raf@raf.org (raf@raf.org) wrote:
> Stephen Frost wrote:
> > I agree we should also handle md5 better.  I realize this needs to be
> > back-patched and so we have to deal with the existing catalog structure,
> > but this really screams out, in my mind anyway, that we shouldn't have
> > ever tried to just stash the password-encoding-type into the password
> > field and that we should have pulled it out into its own column, so that
> > we aren't having to guess about things as important as a password.
>
> I don't think there's anything wrong with prefixing a
> password hash with an identifier for the password
> hashing scheme (and any parameters for that scheme).
> This is done all the time in many systems. It just has
> to be unambiguoous.

There isn't a way to make it unambiguous given that we accept
more-or-less anything as a plaintext password though, that would be the
issue here..

Thanks!

Stephen