Should we drop md5 auth in PostgreSQL ? We are in 2023 !!!

[joanhey]

With the new PostgreSQL official docker image, we have again the problem with md5 auth.
I can fix it, but is it realistic to use md5 auth in 2023 ?

Some frameworks that fail, they had the time and energy to patch libpq for performance. So they can use some time to add the new scram (sha-256) auth in their frameworks.

More info: #7557 #8002

Give your feedback.

[NateBrady23]

@joanhey How many frameworks are failing because of this? Do you know offhand and can ping the contributors here?

[fakeshadow]

It should be default to sasl auth at this point. But there are some points I consider worth to mention:

1. It is still realistic to use md5. Do note that sasl auth can still happen on plain TCP connection which make it not any more safer realistically speaking. I believe most people use plain TCP in trusted local network anyway. (or unix socket)
2. Some if not most frameworks fail to do sasl auth are not using libpq. They are likely to use their language native db client which cause the problem(lack of feature) and it's considerable more work to write a native db driver than fork and patch libpq.

[fakeshadow]

@fafhrd91 Maybe it worth to implement sasl auth in ntex postgres.

[joanhey]

I think that fail for the auth ~30 frameworks permutations.

[msmith-techempower]

Okay, well it's 2025 now and I think we should be encouraging people to use best practices with their frameworks, and that should include database drivers that can support better security than md5.

[fakeshadow]

md5 auth is already deprecated from postgres and will be removed.
It's fair to switch to sasl as default and people had years of time to catch up.