On 11/10/2024 00:03, Bruce Momjian wrote:
On Wed, Oct 9, 2024 at 10:30:15PM +0200, Jelte Fennema-Nio wrote:
On Wed, 9 Oct 2024 at 21:55, Nathan Bossart <nathandboss...@gmail.com> wrote:
In this message, I propose a multi-year, incremental approach to remove MD5
password support from Postgres.
+many for the general idea
I think it makes sense to also remove the "password" authentication
option while we're at it (this can currently be used with SCRAM stored
passwords).
I remember "password" as being recommended for SSL connections where
there is no risk of the password contents being seen.
I wouldn't recommend it if SCRAM is available, but yeah, with TLS and
sslmode=verify-full, it's secure enough.
Note that some authentication methods like LDAP and Radius use
"password" authentication on the wire.
--
Heikki Linnakangas
Neon (https://neon.tech)
