On Sun, Dec 24, 2023 at 12:06 PM Jonathan S. Katz <jkatz@postgresql.org> wrote: > We're likely to have new algorithms in the future, as there is a draft > RFC for updating the SCRAM hashes, and already some regulatory bodies > are looking to deprecate SHA256. My concern with relying on the > "encrypted_password" GUC (which is why PQencryptPasswordConn takes > "conn") makes it any easier for users to choose the algorithm, or if > they need to rely on the server/session setting.
Yeah, I agree. It doesn't make much sense to me to propose that a GUC, which is a server-side setting, should control client-side behavior.
Also, +1 for the general idea. I don't think this is a whole answer to the problem of passwords appearing in log files because (1) you have to be using libpq in order to make use of this
JDBC has it as of yesterday. I would imagine other clients will implement it.