Magnus Hagander wrote:
> I notice our docs have:
>
> If you are at all concerned about password
> <quote>sniffing</> attacks then <literal>md5</> is preferred, with
> <literal>crypt</> to be used only if you must support pre-7.2
> clients. Plain <literal>password</> should be avoided especially for
>
>
> At what point do we just remove the support and say that people need to
> upgrade their clients? Sure, it's up to ppl not to configure it that
> way, but security-wise it's a foot-gun that I think is completely
> unnecessary.
AFAICT, removing an authentication method requires a protocol version
bump. If you think it is worth dealing with those complications, then
go for it. I think it might be worth it.