Re: PATCH: warn about, and deprecate, clear text passwords
Isaac Morland <isaac.morland@gmail.com>
From: Isaac Morland <isaac.morland@gmail.com>
To: Greg Sabino Mullane <htamfids@gmail.com>
Cc: Nathan Bossart <nathandbossart@gmail.com>, Aleksander Alekseev <aleksander@timescale.com>, tgl@sss.pgh.pa.us, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-03T17:11:55Z
Lists: pgsql-hackers
On Mon, 3 Mar 2025 at 12:07, Greg Sabino Mullane <htamfids@gmail.com> wrote: > On Mon, Mar 3, 2025 at 11:33 AM Nathan Bossart <nathandbossart@gmail.com> > wrote: > >> I think it would be good to hear some other opinions on whether we should >> consider sending clear-text passwords to the server as either 1) fully >> supported, 2) deprecated but with no intent to remove anytime soon, or 3) >> deprecated with the intent of removal at some point in the next several >> years. I personally am -1 on the warning unless we have a consensus on >> (3), but I'm +1 on adding a way to enforce "pre-encryption" regardless. >> > > That's more than fair. And "deprecation" doesn't need to mean that's the > next step in the process. So warn -> deny by default (but allow if you work > at it) -> remove completely. Which is very similar to our md5 path, I > suppose. I'm certainly happy staying at that middle stage for an indefinite > amount of time for both of those, as it means that Postgres is both "secure > by default" but backwards compatible. > It's too bad we didn't have this discussion a few years ago. We could have decided that SCRAM authentication doesn't allow sending cleartext passwords and then relied on the phase-out of MD5 passwords to phase out sending of cleartext passwords.