On Wed, May 3, 2017 at 7:31 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> In various threads on SCRAM, we've skirted around the question of whether we
> should still allow storing passwords in plaintext. I've avoided discussing
> that in those other threads, because it's been an orthogonal question, but
> it's a good question and we should discuss it.
>
> So, I propose that we remove support for password_encryption='plain' in
> PostgreSQL 10. If you try to do that, you'll get an error.
I have no idea how widely used that option is.
> Another question that's been touched upon but not explicitly discussed, is
> whether we should change the default to "scram-sha-256". I propose that we
> do that as well. If you need to stick to md5, e.g. because you use drivers
> that don't support SCRAM yet, you can change it in postgresql.conf, but the
> majority of installations that use modern clients will be more secure by
> default.
I think that we should investigate how many connectors have support
for SCRAM or are likely to do so by the time v10 is released. A *lot*
of people are using connectors that are not based on libpq, especially
JDBC but I think many of the others as well. If most of those are
going to support SCRAM by the time v10 comes out, cool, but if not,
maybe it's wise to hold off for a release before flipping the default.
Not sure.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company