Tom Lane wrote:
> Andrew Gierth <andrew@tao11.riddles.org.uk> writes:
> > "PG" == PG Bug reporting form <noreply@postgresql.org> writes:
> > PG> Can you please add `bcrypt` as method option?
>
> > Not unless it gets added to the SCRAM specification.
>
> > Note that our primary goal here is to provide a secure and standard
> > challenge-response authentication mechanism, not to provide random
> > alternate algorithms for password storage.
>
> Worth noting here is that for us, the price of an additional
> authentication mechanism is very high, because it's not just a matter
> of adding some code to the server. Client-side libraries also need to
> be taught about it, and most of those are not maintained by the core
> PG project. So it takes years to make anything happen --- the
> addition of SCRAM is still a work in progress, for example.
>
> Thus, we aren't going to add stuff on a whim, and when we do add some
> new mechanism, there has to be a really solid argument that it's a
> *significant* advance over what we have.
>
> regards, tom lane
bcrypt is better than pbkdf2 but pbkdf2 is still good
for the same reasons that bcrypt is good (brute force
resistance). if you want bcrypt/scrypt/argon2, pbkdf2
will probably be good enough. and some organisations
may require pbkdf2 because it is NIST-approved while
the others aren't.
cheers,
raf