Re: crypt auth

Magnus Hagander wrote:
> I notice our docs have:
> 
>     If you are at all concerned about password
>     <quote>sniffing</> attacks then <literal>md5</> is preferred, with
>     <literal>crypt</> to be used only if you must support pre-7.2
>     clients. Plain <literal>password</> should be avoided especially for
> 
> 
> At what point do we just remove the support and say that people need to
> upgrade their clients? Sure, it's up to ppl not to configure it that
> way, but security-wise it's a foot-gun that I think is completely
> unnecessary.

AFAICT, removing an authentication method requires a protocol version 
bump.  If you think it is worth dealing with those complications, then 
go for it.  I think it might be worth it.