On Mon, Mar 3, 2025 at 11:33 AM Nathan Bossart <nathandbossart@gmail.com> wrote:
> I think it would be good to hear some other opinions on whether we should
> consider sending clear-text passwords to the server as either 1) fully
> supported, 2) deprecated but with no intent to remove anytime soon, or 3)
> deprecated with the intent of removal at some point in the next several
> years. I personally am -1 on the warning unless we have a consensus on
> (3), but I'm +1 on adding a way to enforce "pre-encryption" regardless.
I wonder if we could drum up some support for not including any
version of the password (even encrypted) in the query string. For
instance, let's say that to change your password you have to use the
new CHANGE PASSWORD command which can only be used at top level (not
inside PL code or whatever) and always takes a single parameter that
must be supplied via the extended query protocol. I suppose there's
still a potential security exposure if people are logging parameters,
but maybe it's easier to avoid logging those parameters when the
command is CHANGE PASSWORD than it is to avoid logging a query string
with sensitive information in it.
If we introduced such a mechanism, perhaps we could eventually
deprecate ALTER USER as a method of changing passwords, or at least
have the option to disallow it. Or maybe we just want to add the
option to disallow it now, as proposed here -- but I'm not totally
convinced that will meaningfully improve security if the command still
exists and might still work on some systems.
--
Robert Haas
EDB: http://www.enterprisedb.com
