PostgreSQL Finally Deprecates MD5 Passwords
([Programming] 41 Minutes Ago
PostgreSQL)
- Reference: 0001509798
- News link: https://www.phoronix.com/news/PostgreSQL-Deprecates-MD5-Pass
- Source link:
While long overdue, the PostgreSQL database server has finally deprecated MD5 password support with its latest code.
MD5 shouldn't be used for hashing passwords and are prone to attacks. MD5 shouldn't be in use for years for such purposes. But for those still relying on MD5 for password hashing, a multi-year plan has been initiated by PostgreSQL developers to end this practice.
As of yesterday in the PostgreSQL Git code for what will become PostgreSQL 18, there are many deprecation notices around MD5 password support being deprecated. As explained in the [1]Git commit :
"MD5 has been considered to be unsuitable for use as a cryptographic hash algorithm for some time. Furthermore, MD5 password hashes in PostgreSQL are vulnerable to pass-the-hash attacks, i.e., knowing the username and hashed password is sufficient to authenticate. The SCRAM-SHA-256 method added in v10 is not subject to these problems and is considered to be superior to MD5.
This commit marks MD5 password support in PostgreSQL as deprecated and to be removed in a future release. The documentation now contains several deprecation notices, and CREATE ROLE and ALTER ROLE now emit deprecation warnings when setting MD5 passwords. The warnings can be disabled by setting the md5_password_warnings parameter to "off"."
As [2]discussed by PostgreSQL developers, that's likely to be the extent for PostgreSQL 18 to communicate clearly that MD5 password support is deprecated and to be removed in the future.
Following with PostgreSQL 19 will then be support for upgrading with MD5 passwords and allow authenticating with them but to disable creating new ones. After that in PostgreSQL 20 will disallow using MD5 passwords for authentication. Finally in PostgreSQL 21 it would disallow upgrading with MD5 passwords and there would be no remaining MD5 password support within PostgreSQL. So MD5 password support within PostgreSQL will still be around for a few years if needed for whatever reason but now officially deprecated and the removal path in motion.
[1] https://github.com/postgres/postgres/commit/db6a4a985bc09d260d5c29848e3c97f080646a53
[2] https://www.postgresql.org/message-id/ZwbfpJJol7lDWajL%40nathan
MD5 shouldn't be used for hashing passwords and are prone to attacks. MD5 shouldn't be in use for years for such purposes. But for those still relying on MD5 for password hashing, a multi-year plan has been initiated by PostgreSQL developers to end this practice.
As of yesterday in the PostgreSQL Git code for what will become PostgreSQL 18, there are many deprecation notices around MD5 password support being deprecated. As explained in the [1]Git commit :
"MD5 has been considered to be unsuitable for use as a cryptographic hash algorithm for some time. Furthermore, MD5 password hashes in PostgreSQL are vulnerable to pass-the-hash attacks, i.e., knowing the username and hashed password is sufficient to authenticate. The SCRAM-SHA-256 method added in v10 is not subject to these problems and is considered to be superior to MD5.
This commit marks MD5 password support in PostgreSQL as deprecated and to be removed in a future release. The documentation now contains several deprecation notices, and CREATE ROLE and ALTER ROLE now emit deprecation warnings when setting MD5 passwords. The warnings can be disabled by setting the md5_password_warnings parameter to "off"."
As [2]discussed by PostgreSQL developers, that's likely to be the extent for PostgreSQL 18 to communicate clearly that MD5 password support is deprecated and to be removed in the future.
Following with PostgreSQL 19 will then be support for upgrading with MD5 passwords and allow authenticating with them but to disable creating new ones. After that in PostgreSQL 20 will disallow using MD5 passwords for authentication. Finally in PostgreSQL 21 it would disallow upgrading with MD5 passwords and there would be no remaining MD5 password support within PostgreSQL. So MD5 password support within PostgreSQL will still be around for a few years if needed for whatever reason but now officially deprecated and the removal path in motion.
[1] https://github.com/postgres/postgres/commit/db6a4a985bc09d260d5c29848e3c97f080646a53
[2] https://www.postgresql.org/message-id/ZwbfpJJol7lDWajL%40nathan
Hazel