On Fri, May 5, 2017 at 9:38 AM, Albe Laurenz <laurenz.a...@wien.gv.at> wrote:
> Tom Lane wrote: > > Robert Haas <robertmh...@gmail.com> writes: > >> On Wed, May 3, 2017 at 7:31 AM, Heikki Linnakangas <hlinn...@iki.fi> > wrote: > >>> So, I propose that we remove support for password_encryption='plain' in > >>> PostgreSQL 10. If you try to do that, you'll get an error. > > >> I have no idea how widely used that option is. > > > Is it possible that there are still client libraries that don't support > > password encryption at all? If so, are we willing to break them? > > I'd say "yes" but it's worth thinking about. > > We have one application that has been reduced to "password" authentication > ever since "crypt" authentication was removed, because they implemented the > line protocol rather than using libpq and never bothered to move to "md5". > > But then, it might be a good idea to break this application, because that > would force the vendor to implement something that is not a > blatant security problem. > It might. But I'm pretty sure the suggestion does not include removing the "password" authentication type, that one will still exist. This is just about password *storage*. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
