Re: reducing our reliance on MD5

On 02/11/2015 02:49 PM, Robert Haas wrote:
> So, this all sounds fairly nice if somebody's willing to do the work,
> but I can't help noticing that you originally proposed adopting SCRAM
> in 2012, and it's 2015 now.  So I wonder if anyone's really going to
> do all this work, and if not, whether we should go for something
> simpler.  Just plugging something else in for MD5 would be a lot less
> work for us to implement and for clients to support, even if it is (as
> it unarguably is) less elegant.

"Just plugging something else in for MD5" would still be a fair amount 
of work. Not that much less than the full program I proposed.

Well, I guess it's easier if you immediately stop supporting MD5, have a 
"flag day" in all clients to implement the replacement, and break 
pg_dump/restore of passwords in existing databases. That sounds 
horrible. Let's do this properly. I can help with that, although I don't 
know if I'll find the time and enthusiasm to do all of it alone.

- Heikki