Re: [HACKERS] password_encryption, default and 'plain' support

On Wed, May 3, 2017 at 8:38 PM, Magnus Hagander <magnus@hagander.net> wrote:
> On Wed, May 3, 2017 at 1:31 PM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> In various threads on SCRAM, we've skirted around the question of whether
>> we should still allow storing passwords in plaintext. I've avoided
>> discussing that in those other threads, because it's been an orthogonal
>> question, but it's a good question and we should discuss it.
>>
>> So, I propose that we remove support for password_encryption='plain' in
>> PostgreSQL 10. If you try to do that, you'll get an error.
>
> Is there any usecase at all for it today?

For developers running applications on top of Postgres?

>> Another question that's been touched upon but not explicitly discussed, is
>> whether we should change the default to "scram-sha-256". I propose that we
>> do that as well. If you need to stick to md5, e.g. because you use drivers
>> that don't support SCRAM yet, you can change it in postgresql.conf, but the
>> majority of installations that use modern clients will be more secure by
>> default.
>
> Much as that's going to cause issues for some people, I think it's worth
> doing. We should probably put something specific in the release notes
> mentioning the error message you get in libpq, and possibly some of the
> other most common drivers.

My original view on the matter was, and is still, to wait for one or
two releases before switching the default to scram.
-- 
Michael