Re: md5_password_warnings for password auth with MD5-encrypted passwords
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Cc: masao.fujii@gmail.com, pgsql-hackers@lists.postgresql.org, Nathan Bossart <nathandbossart@gmail.com>
Date: 2026-06-24T14:43:21Z
Lists: pgsql-hackers
On Mon, Jun 22, 2026 at 9:49 PM Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote: > In the password authentication case, the authentication > protocol itself does not use MD5, and MD5 password storage is already > warned about when the verifier is created. Presumably the verifier was created a while back, though, in the case of an upgrade. Personally I think it makes sense to warn whenever the MD5 hash is used to authenticate. No opinion on the patch implementation, though (cc'd Nathan who might?). --Jacob
Commits
-
Warn on password auth with MD5-encrypted passwords
- e57a865dc700 19 (unreleased) landed
- f6fdc2a4a737 master landed