Re: md5_password_warnings for password auth with MD5-encrypted passwords

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Cc: masao.fujii@gmail.com, pgsql-hackers@lists.postgresql.org, Nathan Bossart <nathandbossart@gmail.com>
Date: 2026-06-24T14:43:21Z
Lists: pgsql-hackers
On Mon, Jun 22, 2026 at 9:49 PM Kyotaro Horiguchi
<horikyota.ntt@gmail.com> wrote:
> In the password authentication case, the authentication
> protocol itself does not use MD5, and MD5 password storage is already
> warned about when the verifier is created.

Presumably the verifier was created a while back, though, in the case
of an upgrade. Personally I think it makes sense to warn whenever the
MD5 hash is used to authenticate.

No opinion on the patch implementation, though (cc'd Nathan who might?).

--Jacob



Commits

  1. Warn on password auth with MD5-encrypted passwords