Hi List,
When I try to change my db password like below SQL statement from psql or pgAdmin tool, it outputs to server logs as like this:
postgres=# alter user mkoc password 'dummy';
ALTER ROLE
postgres=# alter user mkoc with password 'dummy';
ALTER ROLE
### Server Logs ###
2011-12-19 14:35:31 EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter user mkoc password 'dummy';
2011-12-19 14:35:41 EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter user mkoc with password 'dummy';
So, an OS user who can access to server log files can read DB users' clear-text passwords from these logs. In my opinion, this is a big security gap.
I don't want to see these changing password logs in clear-text. These logs must be encrypted passwords instead of clear-text like below:
Server Logs must be;
2011-12-19 14:35:31 EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter user mkoc password values 'XFADIT9248fDSKFD';
Is it possible to see changing passwords as encrypted? How should I change password or what is the correct sql statement to change user password?
Best Regards,
Murat KOC