Re: Add a warning message when using unencrypted passwords
| От | Guillaume Lelarge |
|---|---|
| Тема | Re: Add a warning message when using unencrypted passwords |
| Дата | |
| Msg-id | c030f301-8f9d-4d0c-bd73-f07a2da70fa0@dalibo.com обсуждение исходный текст |
| Ответ на | Re: Add a warning message when using unencrypted passwords (Guillaume Lelarge <guillaume.lelarge@dalibo.com>) |
| Список | pgsql-hackers |
On 04/02/2025 19:14, Guillaume Lelarge wrote: > On 04/02/2025 17:59, Tom Lane wrote: >> Guillaume Lelarge <guillaume.lelarge@dalibo.com> writes: >>> v2 is attached. >> >> This seems pretty much entirely useless to me. The password >> has already been leaked to the log (*and* the network, if >> session is unencrypted), so what's the point of a warning? >> And as already noted, this ignores several other hazards of >> the same sort, so it's more likely to create a false sense of >> security than anything else. >> >> (In addition to the points noted, what of event triggers? >> Or ~/.psql_history?) >> > > I agree that the warning itself doesn't make the password secure. But it > never pretends to do that. If I, as a user, see a message like this, my > next move will be to search for a way to change my password in a secure > way. > > Warning users won't save everyone, but it may help some. Doing nothing > helps no one. > FWIW, I just set my patch to the "Withdrawn" status on the commitfest app. Greg's patch is pretty much the same, and offers more options, I reviewed it, and it has my vote. -- Guillaume Lelarge Consultant https://dalibo.com
В списке pgsql-hackers по дате отправления: