Re: add warning upon successful md5 password auth
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: Andreas Karlsson <andreas@proxel.se>, pgsql-hackers@postgresql.org
Date: 2026-02-13T17:43:10Z
Lists: pgsql-hackers
Nathan Bossart <nathandbossart@gmail.com> writes: > On Fri, Feb 13, 2026 at 06:04:14AM +0100, Andreas Karlsson wrote: >> The patch looks good and I think it would make sense to merge it in 19, why >> wait for 20? But the main question I see is if this is too noisy or not. >> Some applications connected to PostgreSQL quite a lot and I am sure we would >> make some users unhappy so I am not fully on board with this patch. But on >> the other hand we have way too many people who still use md5 and we really >> should push them towards using scram. > FWIW if users are really annoyed with these warnings, they can disable them > by setting md5_password_warnings to off. But I think we really ought to do > something like $subject before we completely remove MD5 password support. +1. We need something like this to be there for at least a year or two before we can consider removing MD5 passwords entirely. As long as the warnings can be turned off, I think it's all right and indeed necessary to have them on-by-default. regards, tom lane PS: I've not read the patch, so this isn't an endorsement of details.
Commits
-
Warn upon successful MD5 password authentication.
- bc60ee860665 19 (unreleased) landed
-
Add password expiration warnings.
- 1d92e0c2cc47 19 (unreleased) cited