On 14 March 2017 at 15:40, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I was also thinking about that. Basically a primary method and a
>> fallback. If that were the case, a gradual transition could happen, and
>> if we want \password to enforce best practice it would be ok.
>
> Why exactly would anyone want "md5 only"? I should think that "scram
> only" is a sensible pg_hba setting, if the DBA feels that md5 is too
> insecure, but I do not see the point of "md5 only" in 2017. I think
> we should just start interpreting that as "md5 or better".
+1
As a potential open item, if we treat "md5" as ">= md5"
should we not also treat "password" as ">=password"?
It seems strange that we still support "password" and yet tell
everyonenot to use it.
I'd like PG10 to be the version where I don't have to tell people not
to use certain things, hash indexes, "password" etc.
--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services