Quick Links

Re: md5_password_warnings for password auth with MD5-encrypted passwords

From:	Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
To:	Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>
Cc:	masao(dot)fujii(at)gmail(dot)com, pgsql-hackers(at)lists(dot)postgresql(dot)org, Nathan Bossart <nathandbossart(at)gmail(dot)com>
Subject:	Re: md5_password_warnings for password auth with MD5-encrypted passwords
Date:	2026-06-24 14:43:21
Message-ID:	CAOYmi+n63QuS1nhYA4XmWvpbLaz8-f_HUNtiqBHpXqeZ_QQF-A@mail.gmail.com
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Mon, Jun 22, 2026 at 9:49 PM Kyotaro Horiguchi
<horikyota(dot)ntt(at)gmail(dot)com> wrote:
> In the password authentication case, the authentication
> protocol itself does not use MD5, and MD5 password storage is already
> warned about when the verifier is created.

Presumably the verifier was created a while back, though, in the case
of an upgrade. Personally I think it makes sense to warn whenever the
MD5 hash is used to authenticate.

No opinion on the patch implementation, though (cc'd Nathan who might?).

--Jacob

In response to

Re: md5_password_warnings for password auth with MD5-encrypted passwords at 2026-06-23 04:49:09 from Kyotaro Horiguchi

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Vitaly Davydov	2026-06-24 15:16:05	Re: Deadlock detector fails to activate on a hot standby replica
Previous Message	Andrei Lepikhov	2026-06-24 14:35:29	Re: RFC: Logging plan of the running query