On Wed, Oct 11, 2017 at 9:22 AM, Don Seiler <don@xxxxxxxxx> wrote: > On Wed, Oct 11, 2017 at 9:48 AM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote: >> >> Don Seiler <don@xxxxxxxxx> writes: >> > When I run a CREATE USER or ALTER USER statement and set a password for >> > a >> > user, that statement gets printed to the server log, along with the >> > password, IN CLEAR TEXT. >> >> This is why psql has provisions for encrypting a new password on the >> client side --- see \password. > > > That's nice to have that option, but why even make it an option? If this is > a dead horse that was finished being beaten years ago, my apologies. I'm > curious what other non-psql clients do when allowing a user to change their > password, I've only ever tried it with psql on the local DB host. > >> More generally, almost any SQL command might contain data that somebody >> thinks is sensitive for some purpose or other. If you're going to log >> commands, it behooves you to make sure the log is not widely readable. > > > I strongly disagree. Sure, I might have HIPAA or financial data but we're > talking about database user security here. Why would we *ever* want that > logged to server logs? Regardless of if it was initially transmitted over > the wire in plain text or whatever else the client/user can control, there > should never be a reason to log that value in clear text (IMHO). It seems > like it would only ever be a liability. Log the CREATE/ALTER user command > (according to the log_statement value) but mask the password. FYI our standard hack here is to run set log_statement='none'; alter user ... I do agree it would be nice to have postgres stamp out the password field with *** when logging though -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin