Re: md5 passwords and pg_shadow

Neil Conway <nconway@klamath.dyndns.org> writes:
> How many pre-7.2 clients are actually out there? If 'crypt' authentication
> is deprecated in 7.2, is there any chance it will be removed in
> 7.3? If it is, it should be safe to switch to the scheme I mentioned
> in my previous email, which is both less complicated, and
> "secure-by-default".

I don't see any particular need to change the implementation; what we
have works and it's flexible.  I do think we should change the default
password_encryption setting soon.  IIRC, we agreed to default to FALSE
at a time when we didn't have md5 password support in the jdbc and odbc
drivers.  We probably should have revisited the decision once we knew
that 7.2 would ship with md5 support in all client libraries --- but
we didn't think to.

It seems unlikely to me that FALSE will be the preferred setting for
very many 7.3 installations.  There might be a few people out there
still using 7.1 clients with 7.3 servers, but a majority?  No.
        regards, tom lane