Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r5olx-00FDRw-OF for pgsql-hackers@arkaria.postgresql.org; Wed, 22 Nov 2023 15:04:13 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1r5olw-009SfD-7r for pgsql-hackers@arkaria.postgresql.org; Wed, 22 Nov 2023 15:04:12 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r5olv-009Sf5-UU for pgsql-hackers@lists.postgresql.org; Wed, 22 Nov 2023 15:04:11 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r5olt-006pAH-HX for pgsql-hackers@lists.postgresql.org; Wed, 22 Nov 2023 15:04:10 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 3AMF47Jq1674902; Wed, 22 Nov 2023 10:04:07 -0500 From: Tom Lane To: Daniel Gustafsson cc: Aleksander Alekseev , Postgres hackers , Bowen Shi Subject: Re: [PATCH] Add CHECK_FOR_INTERRUPTS in scram_SaltedPassword loop. In-reply-to: References: Comments: In-reply-to Daniel Gustafsson message dated "Wed, 22 Nov 2023 14:59:07 +0100" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1674900.1700665447.1@sss.pgh.pa.us> Content-Transfer-Encoding: quoted-printable Date: Wed, 22 Nov 2023 10:04:07 -0500 Message-ID: <1674901.1700665447@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Daniel Gustafsson writes: >> On 22 Nov 2023, at 14:30, Aleksander Alekseev wrote: >> It sort of makes sense. I wonder though if we should limit the maximum >> number of iterations instead. If somebody specified 1_000_000+ >> iteration this could also indicate a user error. > I don't think it would be useful to limit this at an arbitrary point, it= eration > count can be set per password and if someone want a specific password to= be > super-hard to brute force then why should we limit that? Maybe because it could be used to construct a DOS scenario? In particular, since CHECK_FOR_INTERRUPTS doesn't work on the frontend side, a situation like this wouldn't be interruptible there. I agree with Aleksander that such cases are much more likely to indicate user error than anything else. regards, tom lane