Re: add warning upon successful md5 password auth

Nathan Bossart <nathandbossart@gmail.com>

From: Nathan Bossart <nathandbossart@gmail.com>
To: Andreas Karlsson <andreas@proxel.se>
Cc: pgsql-hackers@postgresql.org
Date: 2026-02-13T17:26:26Z
Lists: pgsql-hackers
On Fri, Feb 13, 2026 at 06:04:14AM +0100, Andreas Karlsson wrote:
> The patch looks good and I think it would make sense to merge it in 19, why
> wait for 20? But the main question I see is if this is too noisy or not.
> Some applications connected to PostgreSQL quite a lot and I am sure we would
> make some users unhappy so I am not fully on board with this patch. But on
> the other hand we have way too many people who still use md5 and we really
> should push them towards using scram.

FWIW if users are really annoyed with these warnings, they can disable them
by setting md5_password_warnings to off.  But I think we really ought to do
something like $subject before we completely remove MD5 password support.

-- 
nathan



Commits

  1. Warn upon successful MD5 password authentication.

  2. Add password expiration warnings.