Tom Lane wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> On Wed, May 3, 2017 at 7:31 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >>> So, I propose that we remove support for password_encryption='plain' in >>> PostgreSQL 10. If you try to do that, you'll get an error.
>> I have no idea how widely used that option is.
> Is it possible that there are still client libraries that don't support > password encryption at all? If so, are we willing to break them? > I'd say "yes" but it's worth thinking about.
We have one application that has been reduced to "password" authentication ever since "crypt" authentication was removed, because they implemented the line protocol rather than using libpq and never bothered to move to "md5".
But then, it might be a good idea to break this application, because that would force the vendor to implement something that is not a blatant security problem.
It might. But I'm pretty sure the suggestion does not include removing the "password" authentication type, that one will still exist. This is just about password *storage*.
