I'm not sure I understand all this talk about deferring changing the
default to pg13. AFAICS only a few fringe drivers are missing support;
not changing in pg12 means we're going to leave *all* users, even those
whose clients have support, without the additional security for 18 more
months.
IIUC the vast majority of clients already support SCRAM auth. So the
vast majority of PG users can take advantage of the additional security.
I think the only massive-adoption exception is JDBC, and apparently they
already have working patches for SCRAM.
Like many other configuration parameters, setting the default for this
one is a trade-off: give the most benefit to most users, causing the
least possible pain to users for whom the default is not good. Users
that require opening connections from clients that have not updated
should just set password_encryption to md5. It's not like things will
suddenly blow up in their faces.
IMO we don't need to wait until every single client in existence has
updated to support SCRAM. After all, they've already had two years.
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services