> On 23 May 2023, at 23:02, Stephen Frost <sfrost@snowman.net> wrote:
> * Jacob Champion (jchampion@timescale.com) wrote:
>> - low iteration counts accepted by the client make it easier than it
>> probably should be for a MITM to brute-force passwords (note that
>> PG16's scram_iterations GUC, being server-side, does not mitigate
>> this)
>
> This would be good to improve on.
The mechanics of this are quite straighforward, the problem IMHO lies in how to
inform and educate users what a reasonable iteration count is, not to mention
what an iteration count is in the first place.
> Perhaps more succinctly- maybe we should be making adjustments to the
> current language instead of just adding a new paragraph.
+1
--
Daniel Gustafsson