Hi, while looking through postgresql.conf on PG18, I noticed that password_encryption mentions md5 as valid alternative to scram-sha-256. I think it would be useful to mention md5 is deprecated so that people looking at it (but have otherwise not gotten the memo) will realize and hopefully act on it.
Patch attached, I think it would be a candidate for being back-patched to PG18 if accepted. Michael
From d8f476363f393b12232b4a973cbfffbbac25fc0a Mon Sep 17 00:00:00 2001 From: Michael Banck <[email protected]> Date: Fri, 14 Nov 2025 11:38:45 +0100 Subject: [PATCH] Mention that md5-hashed passwords are deprecated in sample postgresql.conf. Version 18 deprecates passwords hashed with password_encryption = 'md5', but the comments for this GUC in postgresql.conf.sample did not mention this. Adding a deprecation notice here might make more people aware of this and lead them to migrate to SCRAM. --- src/backend/utils/misc/postgresql.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 08bcef50c19..4f09ddd82e3 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -94,7 +94,7 @@ # - Authentication - #authentication_timeout = 1min # 1s-600s -#password_encryption = scram-sha-256 # scram-sha-256 or md5 +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5 #scram_iterations = 4096 #md5_password_warnings = on #oauth_validator_libraries = '' # comma-separated list of trusted validator modules -- 2.39.5
