Password leakage avoidance
Joe Conway <mail@joeconway.com>
From: Joe Conway <mail@joeconway.com>
To: PostgreSQL-development <pgsql-hackers@postgreSQL.org>
Cc: Dave Cramer <davecramer@postgres.rocks>
Date: 2023-12-23T15:13:58Z
Lists: pgsql-hackers
Attachments
- v0-0001-change-pw.patch (text/x-patch) patch v0-0001
- v0-0002-change-pw.patch (text/x-patch) patch v0-0002
- v0-0003-change-pw.patch (text/x-patch) patch v0-0003
I have recently, once again for the umpteenth time, been involved in discussions around (paraphrasing) "why does Postgres leak the passwords into the logs when they are changed". I know well that the canonical advice is something like "use psql with \password if you care about that". And while that works, it is a deeply unsatisfying answer for me to give and for the OP to receive. The alternative is something like "...well if you don't like that, use PQencryptPasswordConn() to roll your own solution that meets your security needs". Again, not a spectacular answer IMHO. It amounts to "here is a do-it-yourself kit, go put it together". It occurred to me that we can, and really should, do better. The attached patch set moves the guts of \password from psql into the libpq client side -- PQchangePassword() (patch 0001). The usage in psql serves as a ready built-in test for the libpq function (patch 0002). Docs included too (patch 0003). One thing I have not done but, considered, is adding an additional optional parameter to allow "VALID UNTIL" to be set. Seems like it would be useful to be able to set an expiration when setting a new password. I will register this in the upcoming commitfest, but meantime thought/comments/etc. would be gratefully received. Thanks, -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com