On Mon, Oct 19, 2009 at 7:34 AM, Peter Eisentraut <pete...@gmx.net> wrote: > On Thu, 2009-10-15 at 13:19 -0400, Robert Haas wrote: >> But I don't understand why everyone is >> so worked up about having an *optional* *flag* to force plaintext >> instead of MD5. > > It would be pretty bad usability. Users would be faced with the choice: > you can have secure authentication or good passwords, but not both. > (For some values of "secure" and "good".) I think most people would > want both.
Unless you have the ability to entirely control the software that users use to access PostgreSQL, which is probably only true in super-high-security environments and is certainly false anywhere I've ever worked, you can only have one of those things. SSH keys or SSL certificates are great for defeating network attacks, but I know a lot of people who keep SSL certificates unencrypted on their laptops because there's no easy way to stop them. Those very same people can EASILY be forced to pick relatively good Windows logon passwords because AD can enforce password complexity requirements. Of course, they can't be forced not to write their Windows logon password on a napkin, but they also can't be forced not to run an unsecured FTP server on their laptop that provides access to their unencrypted SSH keys/SSL certificates. Now, we can argue all day about probabilities, but I don't see any reason to believe that we know for sure what the best trade-off is in every environment, which is why I favor providing options, documenting the trade-offs, and letting users make the final decision. ...Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers