On Fri, Mar 4, 2022 at 6:03 PM Tatsuo Ishii wrote:
>
> >> I still don't understand why using plaintex password authentication
> >> over SSL connection is considered insecure. Actually we have been
> >> stating opposite in the manual:
> >> https://www.postgresql.org/docs/14/auth-password.html
> >>
>> I still don't understand why using plaintex password authentication
>> over SSL connection is considered insecure. Actually we have been
>> stating opposite in the manual:
>> https://www.postgresql.org/docs/14/auth-password.html
>>
>> "If the connection is protected by SSL encryption then
On Thu, Mar 3, 2022 at 11:50 PM Tatsuo Ishii wrote:
>
> >> So, dropping plaintext password authentication support from libpq will
> >> make it impossible for users to use the former method.
> >
> > Yes, just like dropping support for md5 would make it impossible for
> > users to have their
>> So, dropping plaintext password authentication support from libpq will
>> make it impossible for users to use the former method.
>
> Yes, just like dropping support for md5 would make it impossible for
> users to have their passwords be hashed with md5, which is an altogether
> good thing
Greetings,
* Tatsuo Ishii (is...@sraoss.co.jp) wrote:
> > On 2/25/22 12:39 PM, Tom Lane wrote:
> >> Jeff Davis writes:
> >>> On Thu, 2022-02-24 at 20:47 -0500, Tom Lane wrote:
> ... and, since we can't readily enforce that the client only sends
> those cleartext passwords over
> On 2/25/22 12:39 PM, Tom Lane wrote:
>> Jeff Davis writes:
>>> On Thu, 2022-02-24 at 20:47 -0500, Tom Lane wrote:
... and, since we can't readily enforce that the client only sends
those cleartext passwords over suitably-encrypted connections, this
could easily be a net negative