Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Can you take care of the echo of entered password too,
I'm unconvinced that that's wrong, and will not change it without
more discussion. (1) The reason it was put in was to allow debugging
of "that's the wrong password" mistakes. (2) The postmaster log
inherently contains a great deal of sensitive information, so anyone
who runs with it world-readable has a problem already. (3) The password
is not emitted unless the message level is a lot lower than anyone would
routinely use. (4) If you're using the recommended MD5 encryption
approach, then what's logged is encrypted; it seems no more dangerous
than having encrypted passwords in pg_shadow.
regards, tom lane
