On Mon, Oct 19, 2009 at 7:34 AM, Peter Eisentraut <peter_e@gmx.net> wrote:
> On Thu, 2009-10-15 at 13:19 -0400, Robert Haas wrote:
>> But I don't understand why everyone is
>> so worked up about having an *optional* *flag* to force plaintext
>> instead of MD5.
>
> It would be pretty bad usability. Users would be faced with the choice:
> you can have secure authentication or good passwords, but not both.
> (For some values of "secure" and "good".) I think most people would
> want both.
Unless you have the ability to entirely control the software that
users use to access PostgreSQL, which is probably only true in
super-high-security environments and is certainly false anywhere I've
ever worked, you can only have one of those things.
SSH keys or SSL certificates are great for defeating network attacks,
but I know a lot of people who keep SSL certificates unencrypted on
their laptops because there's no easy way to stop them. Those very
same people can EASILY be forced to pick relatively good Windows logon
passwords because AD can enforce password complexity requirements. Of
course, they can't be forced not to write their Windows logon password
on a napkin, but they also can't be forced not to run an unsecured FTP
server on their laptop that provides access to their unencrypted SSH
keys/SSL certificates.
Now, we can argue all day about probabilities, but I don't see any
reason to believe that we know for sure what the best trade-off is in
every environment, which is why I favor providing options, documenting
the trade-offs, and letting users make the final decision.
...Robert