Fernando Grijalba <jfercan@yahoo.com> writes:
> I just realized that Postgresql does not differentiate between an invalid username/password or an expired password
whenit gives you the error message.
That's intentional. Per the comments in auth.c:
* Tell the user the authentication failed, but not (much about) why.** There is a tradeoff here between security
concernsand making life* unnecessarily difficult for legitimate users. We would not, for example,* want to report the
passwordwe were expecting to receive...* But it seems useful to report the username and authorization method* in use,
andthese are items that must be presumed known to an attacker* anyway.* Note that many sorts of failure report
additionalinformation in the* postmaster log, which we hope is only readable by good guys.
regards, tom lane
