I'm not sure I understand all this talk about deferring changing the default to pg13. AFAICS only a few fringe drivers are missing support; not changing in pg12 means we're going to leave *all* users, even those whose clients have support, without the additional security for 18 more months.
IIUC the vast majority of clients already support SCRAM auth. So the vast majority of PG users can take advantage of the additional security. I think the only massive-adoption exception is JDBC, and apparently they already have working patches for SCRAM. Like many other configuration parameters, setting the default for this one is a trade-off: give the most benefit to most users, causing the least possible pain to users for whom the default is not good. Users that require opening connections from clients that have not updated should just set password_encryption to md5. It's not like things will suddenly blow up in their faces. IMO we don't need to wait until every single client in existence has updated to support SCRAM. After all, they've already had two years. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
