Re: PATCH: warn about, and deprecate, clear text passwords
Nathan Bossart <nathandbossart@gmail.com>
From: Nathan Bossart <nathandbossart@gmail.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Greg Sabino Mullane <htamfids@gmail.com>, Isaac Morland <isaac.morland@gmail.com>, Aleksander Alekseev <aleksander@timescale.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-14T15:21:30Z
Lists: pgsql-hackers
On Mon, Mar 03, 2025 at 01:54:59PM -0500, Robert Haas wrote: > Oh, good point. I don't know. I just have heard a LOT of complaining > about passwords showing up in the log, and I'm not sure insisting that > they have to all be encrypted is going to make all of the complaining > stop. +1. At this point, IMHO we should consider this v19 material to provide more time for discussion on the best way to tackle this problem. Blocking plain-text passwords in CREATE/ALTER ROLE commands may be part of it, but as Robert notes, we might need to do more. -- nathan