Tom Lane wrote:
> > However, I would like that the password defined in CREATE USER
> > statement was registered in MD5 format, independent of the form as
> > it was specified in that statement.
>
> Not going to happen --- we are not going to add that sort of analysis
> to the statement logging code, as the overhead would be unacceptable
> and the gain minimal. This is hardly the only sensitive data that
> might be found in the postmaster log! I suggest taking care with the
> file permissions on the log, instead.
While I agree that the overhead in the logging code does not seem
attractive, it's still a problem that the password handling in
PostgreSQL continues to be relatively insecure. When we introduced MD5
passwords, one of the reasons was to prevent the administrator from
simply reading the users' passwords. Users who choose a password
should have the assurance that the password cannot be seen in
plain-text by anyone anywhere. In a PostgreSQL system, the password
can be seen in all kinds of places, like the psql history, the server
log, the activity displays, and who knows where else. I don't have a
good solution for this, but it should be addressed sometime.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
