Hi, On 2022-02-25 13:40:54 -0500, Jonathan S. Katz wrote: > On 2/25/22 12:39 PM, Tom Lane wrote: > > My point is that sending cleartext passwords over the wire is an > > insecure-by-definition protocol that we shouldn't be encouraging > > more use of. > > This is my general feeling as well. We just spent a bunch of effort adding, > refining, and making SCRAM the default method. I think doing anything that > would drive more use of sending plaintext passwords, even over TLS, is > counter to that.
I want to again emphasize that, as proposed, a custom auth method can use SCRAM if relevant for it, with a small amount of code. So the whole plaintext discussion seems independent. Samay, what do you think about updating the test plugin to do SCRAM instead of plaintext, just to highlight that fact? Greetings, Andres Freund
