On Tue, Jun 03, 2025 at 10:34:06AM -0400, Tom Lane wrote:
> If we really want to be in peoples' face about this, the thing
> to do is to print a warning every time they log in with an MD5
> password. Also, to Michael's point, that really would be exactly
> the same place where the eventual "sorry, not supported anymore"
> message will be.
I held off on this because I was worried it might be far too noisy. That
does seem like it has the best chance of getting folks' attention, though.
If it's too noisy, users can always turn off the warnings.
> If we're not ready to be in their face that much, maybe the
> removal isn't so close after all.
I think some hackers would like to see it removed in ~v20. Personally, I'd
rather give it at least a few years. SCRAM was added in v10 and made
default in v14, and MD5 is likely going to be marked deprecated in v18.
So, maybe ~v22 is where we should plan to remove it.
--
nathan
