Hi, > There have been a few complaints lately about the fact that we cavalierly > allow clear text passwords to be sent when doing CREATE USER or ALTER USER. > These, of course, can end up in many places, such as pg_stat_activity, > pg_stat_statements, .psql_history, and the server logs. It is a genuinely > valid complaint, and for security purposes, there is little recourse other > than telling users "don't do that". The canonical recommendation is to use > psql's awesome \password feature. Second best is to use your > application/driver of choice, which hopefully has support for not sending > passwords in the clear.
If the problem is that the password might be logged, wouldn't a proper solution be not to log such queries? I don't see how a warning and an extra GUC will improve the overall security of the system, and I suspect very few users will voluntarily trade convenience to security by choosing "disallow". So in its current state the patch doesn't seem to help much. -- Best regards, Aleksander Alekseev
