On 24 March 2018 at 10:30, legrand legrand <legrand_legrand@xxxxxxxxxxx> wrote: > It seems that passwords used in commands are not removed when caught by > pg_stat_statements > (they are not "normalized" being utility statements) > > exemple: > alter role tt with password '123'; > > select query from public.pg_stat_statements > where query like '%password%'; > > query > ---------------------------------------- > alter role tt with password '123'; > > Do you think its a bug ? If it is, then it's not a bug in pg_stat_statements. log_statement = 'ddl' would have kept a record of the same thing. Perhaps the best fix would be a documentation improvement to mention the fact and that it's best not to use plain text passwords in CREATE/ALTER ROLE. Passwords can be md5 encrypted. -- David Rowley http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
