Re: md5 passwords and pg_shadow

Neil Conway <nconway@klamath.dyndns.org> writes:
> IMHO, there are two separate processes going on here:

The connection you are missing is that hashed password storage is
incompatible with crypt-style password transmission.  If we force
hashed storage then the only password transmission style available
to pre-7.2 clients is cleartext.  It's not at all clear that securing
the on-disk representation is a more important goal than wire security.
(Perhaps it is for some cases, but in other cases it's surely not.)
So the parameter variable is there to let the DBA choose which he's
more worried about.

We should probably change the default setting for 7.3, but I don't
think we'll be able to force hashed storage of passwords in all
installations for awhile longer yet.
        regards, tom lane