Participants
Michael Banck
Michael Banck
Daniel Gustafsson
Daniel Gustafsson
Nathan Bossart
Nathan Bossart
Robert Treat
Robert Treat
Attachments
  • #3Nov 14, 2025
    v2-0001-Mention-that-md5-hashed-passwords-are-deprecated-.patch
  • #1Nov 14, 2025
    0001-Mention-that-md5-hashed-passwords-are-deprecated-in-.patch
Thread Outline
#1Michael BanckMichael Banck
Nov 14, 2025
#2Daniel GustafssonDaniel Gustafssonto Michael Banck (#1)
Nov 14, 2025
#3Michael BanckMichael Banckto Daniel Gustafsson (#2)
Nov 14, 2025
#4Daniel GustafssonDaniel Gustafssonto Michael Banck (#3)
Nov 14, 2025
#5Nathan BossartNathan Bossartto Daniel Gustafsson (#4)
Nov 14, 2025
#6Robert TreatRobert Treatto Nathan Bossart (#5)
Nov 15, 2025
#7Michael BanckMichael Banckto Robert Treat (#6)
Nov 15, 2025
#8Daniel GustafssonDaniel Gustafssonto Michael Banck (#7)
Nov 17, 2025

[Patch] Mention md5 is deprecated in postgresql.conf.sample

Started by Michael Banckabout 2 months ago8 messages
#1Michael Banck
Michael Banck
mbanck@gmx.net
1 attachment(s)

Hi,

while looking through postgresql.conf on PG18, I noticed that
password_encryption mentions md5 as valid alternative to scram-sha-256.
I think it would be useful to mention md5 is deprecated so that people
looking at it (but have otherwise not gotten the memo) will realize and
hopefully act on it.

Patch attached, I think it would be a candidate for being back-patched
to PG18 if accepted.

Michael

Attachments:

0001-Mention-that-md5-hashed-passwords-are-deprecated-in-.patchtext/x-diff; charset=us-asciiDownload
From d8f476363f393b12232b4a973cbfffbbac25fc0a Mon Sep 17 00:00:00 2001
From: Michael Banck <mbanck@gmx.net>
Date: Fri, 14 Nov 2025 11:38:45 +0100
Subject: [PATCH] Mention that md5-hashed passwords are deprecated in sample
 postgresql.conf.

Version 18 deprecates passwords hashed with password_encryption = 'md5', but
the comments for this GUC in postgresql.conf.sample did not mention this.
Adding a deprecation notice here might make more people aware of this and
lead them to migrate to SCRAM.
---
 src/backend/utils/misc/postgresql.conf.sample | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 08bcef50c19..4f09ddd82e3 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -94,7 +94,7 @@
 # - Authentication -
 
 #authentication_timeout = 1min		# 1s-600s
-#password_encryption = scram-sha-256	# scram-sha-256 or md5
+#password_encryption = scram-sha-256	# scram-sha-256 or (deprecated) md5
 #scram_iterations = 4096
 #md5_password_warnings = on
 #oauth_validator_libraries = ''	# comma-separated list of trusted validator modules
-- 
2.39.5
#2Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Michael Banck (#1)
Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote:

while looking through postgresql.conf on PG18, I noticed that
password_encryption mentions md5 as valid alternative to scram-sha-256.
I think it would be useful to mention md5 is deprecated so that people
looking at it (but have otherwise not gotten the memo) will realize and
hopefully act on it.

No objection. I suspect the overlap between users who don't read release notes
and users who read .conf.sample comments closely is pretty small, but it
certainly won't hurt.

-#password_encryption = scram-sha-256	# scram-sha-256 or md5
+#password_encryption = scram-sha-256	# scram-sha-256 or (deprecated) md5
 #scram_iterations = 4096
 #md5_password_warnings = on

Maybe this should be combined with a comment on md5_password_warnings as well?

--
Daniel Gustafsson

#3Michael Banck
Michael Banck
mbanck@gmx.net
In reply to: Daniel Gustafsson (#2)
1 attachment(s)
Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

Hi,

On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote:

On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote:
while looking through postgresql.conf on PG18, I noticed that
password_encryption mentions md5 as valid alternative to scram-sha-256.
I think it would be useful to mention md5 is deprecated so that people
looking at it (but have otherwise not gotten the memo) will realize and
hopefully act on it.

No objection. I suspect the overlap between users who don't read release notes
and users who read .conf.sample comments closely is pretty small, but it
certainly won't hurt.

I was under the impression (and it is the case on Debian/Ubuntu at
least, but pretty sure also for the RPM-based packaging) that the
content of postgresql.conf.sample was folded into the default
postgresql.conf on instance creation via distribution tools, so I think
people would generally see this (for new instances) if they look around
that part of their config files.

-#password_encryption = scram-sha-256	# scram-sha-256 or md5
+#password_encryption = scram-sha-256	# scram-sha-256 or (deprecated) md5
#scram_iterations = 4096
#md5_password_warnings = on

Maybe this should be combined with a comment on md5_password_warnings as well?

Good point, how about the attached?

Michael

Attachments:

v2-0001-Mention-that-md5-hashed-passwords-are-deprecated-.patchtext/x-diff; charset=us-asciiDownload
From cf89ec0757cdb5a9df7488379fb97fd8feeaf2d2 Mon Sep 17 00:00:00 2001
From: Michael Banck <mbanck@gmx.net>
Date: Fri, 14 Nov 2025 11:38:45 +0100
Subject: [PATCH v2] Mention that md5-hashed passwords are deprecated in sample
 postgresql.conf.

Version 18 deprecates passwords hashed with password_encryption = 'md5', but
the comments for this GUC in postgresql.conf.sample did not mention this.
Adding a deprecation notice here might make more people aware of this and
lead them to migrate to SCRAM. While at, add a comment to the
md5_password_warnings GUC mentioning the MD5 deprecation there as well.
---
 src/backend/utils/misc/postgresql.conf.sample | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 08bcef50c19..5bfb0d8e297 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -94,9 +94,9 @@
 # - Authentication -
 
 #authentication_timeout = 1min		# 1s-600s
-#password_encryption = scram-sha-256	# scram-sha-256 or md5
+#password_encryption = scram-sha-256	# scram-sha-256 or (deprecated) md5
 #scram_iterations = 4096
-#md5_password_warnings = on
+#md5_password_warnings = on		# display md5 deprecation warnings?
 #oauth_validator_libraries = ''	# comma-separated list of trusted validator modules
 
 # GSSAPI using Kerberos
-- 
2.39.5
#4Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Michael Banck (#3)
Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

On 14 Nov 2025, at 13:15, Michael Banck <mbanck@gmx.net> wrote:
On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote:

On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote:
while looking through postgresql.conf on PG18, I noticed that
password_encryption mentions md5 as valid alternative to scram-sha-256.
I think it would be useful to mention md5 is deprecated so that people
looking at it (but have otherwise not gotten the memo) will realize and
hopefully act on it.

No objection. I suspect the overlap between users who don't read release notes
and users who read .conf.sample comments closely is pretty small, but it
certainly won't hurt.

I was under the impression (and it is the case on Debian/Ubuntu at
least, but pretty sure also for the RPM-based packaging) that the
content of postgresql.conf.sample was folded into the default
postgresql.conf on instance creation via distribution tools, so I think
people would generally see this (for new instances) if they look around
that part of their config files.

Yes. I meant to write .conf but my fingers were faster than my brain and typed
the full .conf.sample. Sorry about that.

-#password_encryption = scram-sha-256 # scram-sha-256 or md5
+#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5
#scram_iterations = 4096
#md5_password_warnings = on

Maybe this should be combined with a comment on md5_password_warnings as well?

Good point, how about the attached?

Something like that yes. I'll wait for others to chime in but unless there are
objections I think we should go with something like this.

--
Daniel Gustafsson

#5Nathan Bossart
Nathan Bossart
nathandbossart@gmail.com
In reply to: Daniel Gustafsson (#4)
Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

On Fri, Nov 14, 2025 at 01:57:28PM +0100, Daniel Gustafsson wrote:

Something like that yes. I'll wait for others to chime in but unless there are
objections I think we should go with something like this.

Seems fine to me. I'd like to start emitting WARNINGs in ~v20 when folks
log in using MD5 passwords, but until then, IMHO it's worthwhile to try
alerting folks in less intrusive ways.

--
nathan

#6Robert Treat
Robert Treat
rob@xzilla.net
In reply to: Nathan Bossart (#5)
Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

On Fri, Nov 14, 2025 at 5:48 AM Michael Banck <mbanck@gmx.net> wrote:

Hi,

while looking through postgresql.conf on PG18, I noticed that
password_encryption mentions md5 as valid alternative to scram-sha-256.
I think it would be useful to mention md5 is deprecated so that people
looking at it (but have otherwise not gotten the memo) will realize and
hopefully act on it.

Patch attached, I think it would be a candidate for being back-patched
to PG18 if accepted.

+1 to the general idea, though I think it should go the other way
around (it is a small enough grammatical point I'm sure some would
argue the other way around).

# password_encryption = scram-sha-256 # scram-sha-256 or md5 (deprecated)

Also +1 for backpatching. IIRC this would only show up in new
clusters, but we're still pretty early on in the cycle, so it seems
worth it.

Robert Treat
https://xzilla.net

Import Notes
Reply to msg id not found: 691708e7.170a0220.23729b.0a62SMTPIN_ADDED_BROKEN@mx.google.comReference msg id not found: 691708e7.170a0220.23729b.0a62SMTPIN_ADDED_BROKEN@mx.google.com | Resolved by subject fallback
#7Michael Banck
Michael Banck
mbanck@gmx.net
In reply to: Robert Treat (#6)
Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

Hi,

On Sat, Nov 15, 2025 at 09:37:37AM -0500, Robert Treat wrote:

+1 to the general idea, though I think it should go the other way
around (it is a small enough grammatical point I'm sure some would
argue the other way around).

# password_encryption = scram-sha-256 # scram-sha-256 or md5 (deprecated)

I thought about that, but then wondered whether people would think the
whole thing (password_encryption) is deprecated or maybe both
scram-sha-256 and md5?

Also +1 for backpatching. IIRC this would only show up in new
clusters, but we're still pretty early on in the cycle, so it seems
worth it.

Yeah.

Michael

#8Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Michael Banck (#7)
Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

On 15 Nov 2025, at 15:55, Michael Banck <mbanck@gmx.net> wrote:

Hi,

On Sat, Nov 15, 2025 at 09:37:37AM -0500, Robert Treat wrote:

+1 to the general idea, though I think it should go the other way
around (it is a small enough grammatical point I'm sure some would
argue the other way around).

# password_encryption = scram-sha-256 # scram-sha-256 or md5 (deprecated)

I thought about that, but then wondered whether people would think the
whole thing (password_encryption) is deprecated or maybe both
scram-sha-256 and md5?

Sleeping on it I agree with this, and ended up applying this version.

--
Daniel Gustafsson

← Back to Topics