Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Mar 3, 2025 at 1:47 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
> > I wonder if we could drum up some support for not including any
> > version of the password (even encrypted) in the query string. For
> > instance, let's say that to change your password you have to use the
> > new CHANGE PASSWORD command which can only be used at top level (not
> > inside PL code or whatever) and always takes a single parameter that
> > must be supplied via the extended query protocol.
>
> How would pg_dumpall cope with transferring passwords then?
>
> I could see insisting that plain-text passwords be supplied only
> that way.  But removing the ability to have encrypted passwords
> in-line seems like a serious operational problem with little benefit.

Oh, good point. I don't know. I just have heard a LOT of complaining
about passwords showing up in the log, and I'm not sure insisting that
they have to all be encrypted is going to make all of the complaining
stop.

--
Robert Haas
EDB: http://www.enterprisedb.com