On Wed, May 3, 2017 at 7:31 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > In various threads on SCRAM, we've skirted around the question of whether we > should still allow storing passwords in plaintext. I've avoided discussing > that in those other threads, because it's been an orthogonal question, but > it's a good question and we should discuss it. > > So, I propose that we remove support for password_encryption='plain' in > PostgreSQL 10. If you try to do that, you'll get an error.
I have no idea how widely used that option is. > Another question that's been touched upon but not explicitly discussed, is > whether we should change the default to "scram-sha-256". I propose that we > do that as well. If you need to stick to md5, e.g. because you use drivers > that don't support SCRAM yet, you can change it in postgresql.conf, but the > majority of installations that use modern clients will be more secure by > default.
I think that we should investigate how many connectors have support for SCRAM or are likely to do so by the time v10 is released. A *lot* of people are using connectors that are not based on libpq, especially JDBC but I think many of the others as well. If most of those are going to support SCRAM by the time v10 comes out, cool, but if not, maybe it's wise to hold off for a release before flipping the default. Not sure.
From the traffic on the list it sounds like the JDBC people are working on it already -- hopefully they will have something in time.
It might make sense to ping other "major drivers" people as well -- such as maybe npgsql. What else?
A good approach might be to change the default now, before beta. Then if drivers don't change, or if we get a lot of pushback from beta testers, we change it back before release. But if we don't change it, we will not know how big the impact would be...