Re: PATCH: warn about, and deprecate, clear text passwords
Aleksander Alekseev <aleksander@timescale.com>
From: Aleksander Alekseev <aleksander@timescale.com>
To: Greg Sabino Mullane <htamfids@gmail.com>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-02-24T10:07:33Z
Lists: pgsql-hackers
Hi, > There have been a few complaints lately about the fact that we cavalierly allow clear text passwords to be sent when doing CREATE USER or ALTER USER. These, of course, can end up in many places, such as pg_stat_activity, pg_stat_statements, .psql_history, and the server logs. It is a genuinely valid complaint, and for security purposes, there is little recourse other than telling users "don't do that". The canonical recommendation is to use psql's awesome \password feature. Second best is to use your application/driver of choice, which hopefully has support for not sending passwords in the clear. If the problem is that the password might be logged, wouldn't a proper solution be not to log such queries? I don't see how a warning and an extra GUC will improve the overall security of the system, and I suspect very few users will voluntarily trade convenience to security by choosing "disallow". So in its current state the patch doesn't seem to help much. -- Best regards, Aleksander Alekseev