Re: password_encryption, default and 'plain' support

Magnus Hagander <magnus@hagander.net>

From: Magnus Hagander <magnus@hagander.net>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2017-05-03T18:51:49Z
Lists: pgsql-hackers
On Wed, May 3, 2017 at 5:52 PM, Robert Haas <robertmhaas@gmail.com> wrote:

> On Wed, May 3, 2017 at 7:31 AM, Heikki Linnakangas <hlinnaka@iki.fi>
> wrote:
> > In various threads on SCRAM, we've skirted around the question of
> whether we
> > should still allow storing passwords in plaintext. I've avoided
> discussing
> > that in those other threads, because it's been an orthogonal question,
> but
> > it's a good question and we should discuss it.
> >
> > So, I propose that we remove support for password_encryption='plain' in
> > PostgreSQL 10. If you try to do that, you'll get an error.
>
> I have no idea how widely used that option is.
>
> > Another question that's been touched upon but not explicitly discussed,
> is
> > whether we should change the default to "scram-sha-256". I propose that
> we
> > do that as well. If you need to stick to md5, e.g. because you use
> drivers
> > that don't support SCRAM yet, you can change it in postgresql.conf, but
> the
> > majority of installations that use modern clients will be more secure by
> > default.
>
> I think that we should investigate how many connectors have support
> for SCRAM or are likely to do so by the time v10 is released.  A *lot*
> of people are using connectors that are not based on libpq, especially
> JDBC but I think many of the others as well.  If most of those are
> going to support SCRAM by the time v10 comes out, cool, but if not,
> maybe it's wise to hold off for a release before flipping the default.
> Not sure.
>


From the traffic on the list it sounds like the JDBC people are working on
it already -- hopefully they will have something in time.

It might make sense to ping other "major drivers" people as well -- such as
maybe npgsql. What else?

A good approach might be to change the default now, before beta. Then if
drivers don't change, or if we get a lot of pushback from beta testers, we
change it back before release. But if we don't change it, we will not know
how big the impact would be...

-- 
 Magnus Hagander
 Me: https://www.hagander.net/ <http://www.hagander.net/>
 Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

Commits

  1. Remove support for password_encryption='off' / 'plain'.