Re: PATCH: warn about, and deprecate, clear text passwords

Isaac Morland <isaac.morland@gmail.com>

From: Isaac Morland <isaac.morland@gmail.com>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: Greg Sabino Mullane <htamfids@gmail.com>, Aleksander Alekseev <aleksander@timescale.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-02-24T21:06:41Z
Lists: pgsql-hackers
On Mon, 24 Feb 2025 at 15:47, Nathan Bossart <nathandbossart@gmail.com>
wrote:

This is perhaps a nitpick, but one issue with ERROR-ing for clear text
> passwords is that the default logging settings seem to send the statement
> to the logs, too.  So, it might actually increase the likelihood of the
> password showing up in the logs.  I'm not sure what else could be done, but
> I believe the conventional wisdom is that logs can contain sensitive
> information, so maybe it's okay...  It still seems weird to me to try to
> help folks to avoid logging passwords by logging their passwords.
>

It is definitely ironic, but it’s non-routinely logging their proposed new
password which, due to the server settings, does not actually get set as
the new password, in order to prevent routinely logging their passwords.

What I mean is, after the error is thrown and the proposed password logged,
they need to re-try with a pre-encrypted password which will not be logged.
If they choose a new password, then the logged one is irrelevant, and even
if they don't, it's just one password rather than all the ones they change.
So on the whole I think this is good. And in any case I believe the
existing behaviour can still be had by configuration so we're not really
imposing anything on anybody.