On Tue, Apr 25, 2017 at 10:16 PM, Bruce Momjian <br...@momjian.us> wrote: > Well, we could add "MD5 users are encouraged to switch to > SCRAM-SHA-256". Now whether we want to list this as something on the > SCRAM-SHA-256 description, or mention it as an incompatibility, or > under Migration. I am not clear that MD5 is in such terrible shape that > this is warranted.
I think it's warranted. The continuing use of MD5 has been a headache for some EnterpriseDB customers who have compliance requirements which they must meet. It's not that they themselves necessarily know or care whether MD5 is secure, although in some cases they do; it's that if they use it, they will be breaking laws or regulations to which their business or agency is subject. I imagine customers of other PostgreSQL companies have similar issues. But leaving that aside, the advantage of SCRAM isn't merely that it uses a better algorithm to hash the password. It has other advantages also, like not being vulnerable to replay attacks. If you're doing password authentication, you should really be using SCRAM, and encouraging people to move to SCRAM after upgrading is a good idea. That having been said, SCRAM is a wire protocol break. You will not be able to upgrade to SCRAM unless and until the drivers you use to connect to the database add support for it. The only such driver that's part of libpq; other drivers that have reimplemented the PostgreSQL wire protocol will have to be updated with SCRAM support before it will be possible to use SCRAM with those drivers. I think this should be mentioned in the release notes, too. I also think it would be great if somebody would put together a wiki page listing all the popular drivers and (1) whether they use libpq or reimplement the wire protocol, and (2) if the latter, the status of any efforts to implement SCRAM, and (3) if those efforts have been completed, the version from which they support SCRAM. Then, I think we should reach out to all of the maintainers of those driver authors who aren't moving to support SCRAM and encourage them to do so. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
