Re: PATCH: warn about, and deprecate, clear text passwords
| От | Isaac Morland |
|---|---|
| Тема | Re: PATCH: warn about, and deprecate, clear text passwords |
| Дата | |
| Msg-id | CAMsGm5ePTEVkzreF957TT7L2RapyfJ=fPAw-OoZ7+JQbWTvXSw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: PATCH: warn about, and deprecate, clear text passwords (Nathan Bossart <nathandbossart@gmail.com>) |
| Ответы |
Re: PATCH: warn about, and deprecate, clear text passwords
|
| Список | pgsql-hackers |
On Mon, 24 Feb 2025 at 15:47, Nathan Bossart <nathandbossart@gmail.com> wrote:
This is perhaps a nitpick, but one issue with ERROR-ing for clear text
passwords is that the default logging settings seem to send the statement
to the logs, too. So, it might actually increase the likelihood of the
password showing up in the logs. I'm not sure what else could be done, but
I believe the conventional wisdom is that logs can contain sensitive
information, so maybe it's okay... It still seems weird to me to try to
help folks to avoid logging passwords by logging their passwords.
It is definitely ironic, but it’s non-routinely logging their proposed new password which, due to the server settings, does not actually get set as the new password, in order to prevent routinely logging their passwords.
What I mean is, after the error is thrown and the proposed password logged, they need to re-try with a pre-encrypted password which will not be logged. If they choose a new password, then the logged one is irrelevant, and even if they don't, it's just one password rather than all the ones they change. So on the whole I think this is good. And in any case I believe the existing behaviour can still be had by configuration so we're not really imposing anything on anybody.
В списке pgsql-hackers по дате отправления: