Re: PATCH: warn about, and deprecate, clear text passwords

On 24/02/2025 14:55, Greg Sabino Mullane wrote:
> Guillaume Lelarge <guillaume(dot)lelarge(at)dalibo(dot)com
> <mailto:guillaume(dot)lelarge(at)dalibo(dot)com>> wrote:
>
> I'm obviously +1 on this patch since I sent kinda the same patch two
> weeks ago
>
>
> Ha ha, my brain forgot about that one (even though I commented on it!) -
> apologies for that.
>

No need to apologize :)

> set password_encryption to 'md5';
> create user u4 password 'md5u1';
> ...
>
> It complains that I'm using a plain text password and a MD5-
> encrypted password. Can't be both. (Probably not an issue with this
> patch, but rather an issue with the commit that implemented MD5-
> password warnings.)
>
>
> This is correct - it can be both. Not only are we sending a password in
> clear text, but we then encrypt it using MD5. Hence, two warnings.
>
> If I use a real md5 password, it only complains about MD5 encrypted
> password:
>
>
> Right. If someone sends us something that looks like an already-
> encrypted password, we just store it. See get_password_type() in
> backend/libpq/crypt.c. In which case, the actual password that a client
> would type in would *not* be what was sent over the wire as part of the
> ALTER USER / CREATE USER, so we don't complain.

Sounds good to me.

--
Guillaume Lelarge
Consultant
https://dalibo.com